Skip to content

Evals: agent-runtime prompt harness across Ollama Cloud models (#1588)#1590

Draft
legreffier[bot] wants to merge 5 commits into
mainfrom
issue-1588-evals-test-agent-runtime-prompt
Draft

Evals: agent-runtime prompt harness across Ollama Cloud models (#1588)#1590
legreffier[bot] wants to merge 5 commits into
mainfrom
issue-1588-evals-test-agent-runtime-prompt

Conversation

@legreffier

@legreffier legreffier Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Closes #1588.

What this adds

A deterministic-first eval harness for the agent-runtime prompt, so we can (a) catch prompt regressions before merge and (b) track which model/prompt is better over time — across Ollama Cloud models.

The key finding while scoping this: most of the machinery already existed (run_eval + judge_eval_attempt task types with hidden-rubric producer/judge separation, a live-ollama CI path, the deterministic gate signals the runtime already emits). So this is wiring + a trustworthy fresh corpus, not a new eval engine.

New: libs/agent-eval

  • readScenario — parses evals-v2/<slug>/{prompt.md,eval.json,rubric.json,gates.json} and fails loudly on drift (the deliberate opposite of the orphaned tools/src/tasks/scenario.ts).
  • buildRunEvalInput / buildJudgeInput — turn a scenario into run_eval / judge_eval_attempt inputs; the rubric is hidden from the producer, injected only on the judge side.
  • checkGates — the stage-1 deterministic evaluator (asserts execute_start model/workspace, prompt_assembled sections, tool-call presence/absence, and a schema-valid captured RunEvalOutput) reading the attempt message stream. Depends only on a narrow GateAgent interface, so it carries no runtime SDK dependency and is unit-tested with a fake.
  • runMatrix / summarizeMatrix — pure sweep orchestration with injected effects.
  • writeAgentCredentials / writePiConfig — extracted from live-ollama.e2e.test.ts so the smoke test and matrix runner share one copy.

New: evals-v2/ corpus (4 scenarios)

submit-output-compliance, prompt-assembly-integrity (pure-gate), instruction-following-bullets (exercises the pinned judge), tool-use-artifact-upload (requireToolCalls gate). A corpus guard test parses every scenario so a malformed one fails CI. evals/ (the old dir) is left untouched — it has legit rendered-pack scenarios worth mining before any cleanup.

New: per-PR smoke + nightly matrix

  • apps/agent-daemon-e2e/src/live-ollama-evals.e2e.test.ts — runs the corpus against one pinned model, gates only (no judge). Fast regression tripwire in the existing e2e-agent-daemon job.
  • apps/agent-daemon-e2e/src/eval-matrix-runner.ts + .github/workflows/eval-matrix.yml — nightly/on-demand sweep of N models × scenarios, gate-then-pinned-judge, emitting score-matrix.json.

Design: why gates + a pinned judge

The "inception" risk is that MoltNet's own judge runs through the same runtime prompt under test. The hybrid design breaks that loop:

  • Stage 1 gates are code, not a model — they cannot co-regress with the prompt under test. A gate failure → composite 0, judge skipped.
  • Stage 2 judge is pinned to one model held constant while producer models vary — a producer-side regression can't move the judge score.

Verification status

  • 34 unit tests pass (@moltnet/agent-eval), including the anti-inception path (gate fail → composite 0 → judge skipped).
  • Typecheck + lint green for libs/agent-eval and apps/agent-daemon-e2e.
  • ⚠️ The live LLM path is NOT verified in this PR (no Docker stack / no Ollama tokens spent). The judge leg is the least-verified — it relies on DB-backed warm-slot resolution surviving across runOnce calls (same mechanism as the continuation test, but not exercised here). Validate before trusting composites:
    pnpm run e2e:up
    OLLAMA_API_KEY=... MOLTNET_AGENT_DAEMON_LIVE_LLM_E2E=1 \
      pnpm exec nx run @themoltnet/agent-daemon-e2e:e2e
    # full matrix:
    OLLAMA_API_KEY=... pnpm exec tsx apps/agent-daemon-e2e/src/eval-matrix-runner.ts

Heads-up for reviewers / follow-ups

  • nx sync landmine: nx.json's sync.applyChanges: true makes nx sync rewrite the root tsconfig.json references from 49 → [] (Nx 22.7). Kept out of every commit here, but you'll hit it locally — git diff tsconfig.json after installs and restore if emptied; use MOLTNET_SKIP_NX_SYNC=1. (Corrects a stale diary claim.)
  • Model churn: nightly defaults use current .pi/models.json ids (qwen3.5:397b-cloud, glm-5.2:cloud, gpt-oss:120b-cloud). Note live-ollama.e2e.test.ts still hardcodes qwen3-coder:480b-cloud, which is not in the maintained list — worth a separate look.
  • :ci-main dependency: the nightly workflow pulls :ci-main images; it will fail until a main build has published them.
  • Rendered-pack A/B evals are a distinct track (per docs/use/context-pack-evals.md) — same machinery, foldable in later.

🤖 Authored by LeGreffier (fingerprint 1671-B080-99BF-4270).

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ CLI go.mod is behind internal Go module releases

The CLI release is intentionally decoupled from same-run Go lib releases, so apps/moltnet-cli/go.mod must already be bumped in a normal PR.

Detected drift:

  • moltnet-api-client: go.mod has v1.44.1, expected v1.44.2

Run these commands from apps/moltnet-cli:

GOWORK=off go get github.com/getlarge/themoltnet/libs/moltnet-api-client@v1.44.2
GOWORK=off go mod tidy

@github-actions

Copy link
Copy Markdown
Contributor

🚨 Dependency Audit — Vulnerabilities found

Full report
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Incomplete fix for CVE-2023-48223: JWT       │
│                     │ Algorithm Confusion via Whitespace-Prefixed RSA Public │
│                     │ Key                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mvf2-f6gm-w987      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Cache Confusion via cacheKeyBuilder          │
│                     │ Collisions Can Return Claims From a Different Token    │
│                     │ (Identity/Authorization Mixup)                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.0.1 <6.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rp9m-7r4c-75qg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.0.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: JWT auth bypass due to empty HMAC secret     │
│                     │ accepted by async key resolver                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gmvf-9v4p-v8jc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-jwt accepts unknown `crit` header extensions (RFC │
│                     │ 7515 violation)                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm7r-c7qw-ghp6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code injection through bytes field        │
│                     │ defaults in generated toObject code                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-66ff-xgx4-vchm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code generation gadget after prototype    │
│                     │ pollution                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-75px-5xx7-5xc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Process-wide denial of service through    │
│                     │ unsafe option paths                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jvwf-75h9-cwgg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Denial of service through unbounded       │
│                     │ protobuf recursion                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-685m-2w69-288q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobufjs: Denial of service through unbounded Any    │
│                     │ expansion during JSON conversion                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.4.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.4.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wcpc-wj8m-hjx6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici vulnerable to TLS certificate validation bypass │
│                     │ via dropped requestTls in SOCKS5 ProxyAgent            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vmh5-mc38-953g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici vulnerable to TLS certificate validation bypass │
│                     │ via dropped requestTls in SOCKS5 ProxyAgent            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.23.0 <7.28.0                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vmh5-mc38-953g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici WebSocket client vulnerable to denial of        │
│                     │ service via cumulative fragment bypass                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-38rv-x7px-6hhq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici WebSocket client vulnerable to denial of        │
│                     │ service via fragment count bypass                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vxpw-j846-p89q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici WebSocket client vulnerable to denial of        │
│                     │ service via fragment count bypass                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.28.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vxpw-j846-p89q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ undici vulnerable to cross-origin request routing via  │
│                     │ SOCKS5 proxy pool reuse                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.23.0 <7.28.0                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm92-r4w5-c3mj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt has a ReDoS when using RegExp in allowed*     │
│                     │ leading to CPU exhaustion during token verification    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <=6.2.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cjw9-ghj4-fwxf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt: Stateful RegExp (/g or /y) causes            │
│                     │ non-deterministic allowed-claim validation (logical    │
│                     │ DoS)                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.2.1                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3j8v-cgw4-2g6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ip-address has XSS in Address6 HTML-emitting methods   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ip-address                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=10.1.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>express-rate- │
│                     │ limit>ip-address                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v2v4-37r5-5v8g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Denial of service from crafted field      │
│                     │ names in generated code                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2pr8-phx7-x9h3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Prototype injection in generated message  │
│                     │ constructors                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fx83-v9x8-x52w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs: Denial of Service via unbounded recursive  │
│                     │ JSON descriptor expansion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jggg-4jg4-v7c6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>mqemitter-      │
│                     │ redis>hyperid>uuid                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs : Schema-derived names can shadow           │
│                     │ runtime-significant properties                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.5.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.6.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f38q-mgvj-vph7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ OpenTelemetry Core: Unbounded memory allocation in W3C │
│                     │ Baggage propagation                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @opentelemetry/core                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.8.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.8.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/core                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-8988-4f7v-96qf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ undici vulnerable to HTTP header injection via         │
│                     │ Set-Cookie percent-decoding                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-p88m-4jfj-68fv      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ undici vulnerable to HTTP header injection via         │
│                     │ Set-Cookie percent-decoding                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.28.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-p88m-4jfj-68fv      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ undici vulnerable to cross-user information disclosure │
│                     │ via shared cache whitespace bypass                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pr7r-676h-xcf6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ undici vulnerable to cross-user information disclosure │
│                     │ via shared cache whitespace bypass                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.28.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pr7r-676h-xcf6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Elliptic Uses a Cryptographic Primitive with a Risky   │
│                     │ Implementation                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.6.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ libs__auth>get-jwks>jwk-to-pem>elliptic                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-848j-6mx2-7j84      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ undici vulnerable to HTTP response queue poisoning via │
│                     │ keep-alive socket reuse                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-35p6-xmwp-9g52      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ undici vulnerable to HTTP response queue poisoning via │
│                     │ keep-alive socket reuse                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.28.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-35p6-xmwp-9g52      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ undici vulnerable to Set-Cookie SameSite attribute     │
│                     │ downgrade via permissive substring matching            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.5.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.5.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/gondolin>undici     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g8m3-5g58-fq7m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ undici vulnerable to Set-Cookie SameSite attribute     │
│                     │ downgrade via permissive substring matching            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.28.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.28.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ tools>undici                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g8m3-5g58-fq7m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
35 vulnerabilities found
Severity: 5 low | 14 moderate | 12 high | 4 critical

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

⚠️ Knip — Unused code or dependencies found

Run pnpm run knip locally to see details, or pnpm run knip:fix to auto-fix some of them.

Full report
�[93m�[4mUnused files�[24m�[39m (46)
.agents/skills/monitor-ci/scripts/ci-poll-decide.mjs                                       
.agents/skills/monitor-ci/scripts/ci-state-update.mjs                                      
apps/agent-daemon/src/lib/sandbox.ts                                                       
apps/console-e2e/src/seed-diary-browser.ts                                                 
apps/landing/src/hooks/useFeedSSE.ts                                                       
apps/mcp-host/server.mjs                                                                   
apps/mcp-host/src/sandbox.ts                                                               
apps/mcp-server-e2e/src/seed-task-app.ts                                                   
apps/mcp-server/src/schemas/index.ts                                                       
apps/rest-api/src/migrate.ts                                                               
apps/rest-api/src/sse/public-feed-poller.ts                                                
apps/rest-api/src/sse/sse-writer.ts                                                        
apps/rest-api/src/typebox-schema-id.d.ts                                                   
docs/.vitepress/env.d.ts                                                                   
evals/moltnet-practices/auth-middleware-early-return/fixtures/auth-plugin.ts               
evals/moltnet-practices/auth-middleware-early-return/fixtures/team-resolver.ts             
evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/sdk.gen.ts                    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/consolidate-workflow.ts    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/diary-entry.repository.ts  
evals/moltnet-practices/rest-error-boundary/fixtures/pack-routes.ts                        
evals/moltnet-practices/rest-error-boundary/fixtures/verification-routes.ts                
evals/moltnet-practices/webhook-auth-status-code/fixtures/hooks.ts                         
examples/diary-create.ts                                                                   
examples/diary-search.ts                                                                   
examples/register.ts                                                                       
examples/sign-entry.ts                                                                     
libs/cpp-sdk/e2e/setup.ts                                                                  
libs/task-ui/demo/App.tsx                                                                  
libs/task-ui/demo/main.tsx                                                                 
test-fixtures/generate-ssh-vectors.mjs                                                     
test-fixtures/generate-x25519-vectors.mjs                                                  
tools/db/backfill-content-hashes.ts                                                        
tools/db/backfill-diary-team-links.ts                                                      
tools/db/backfill-keto-subject-set.ts                                                      
tools/db/backfill-personal-teams.ts                                                        
tools/db/backfill-team-relations-plural.ts                                                 
tools/db/cleanup-legacy-diary-tuples.ts                                                    
tools/docker-build.mjs                                                                     
tools/generators/split-tsconfigs/index.ts                                                  
tools/generators/split-tsconfigs/schema.d.ts                                               
tools/release/docker-preversion.mjs                                                        
tools/src/release/github-action-publisher.ts                                               
tools/src/release/go-module-publisher.cli.ts                                               
tools/src/tasks/api.ts                                                                     
tools/src/tasks/scenario.ts                                                                
tools/src/tasks/seed-judge-fixture.ts                                                      
�[93m�[4mUnused dependencies�[24m�[39m (58)
@moltnet/observability                       apps/agent-daemon-e2e/package.json:9:6     
@moltnet/tasks                               apps/agent-daemon-e2e/package.json:10:6    
@earendil-works/gondolin                     apps/agent-daemon/package.json:92:6        
@opentelemetry/instrumentation               apps/agent-daemon/package.json:97:6        
@opentelemetry/instrumentation-dns           apps/agent-daemon/package.json:98:6        
@opentelemetry/instrumentation-http          apps/agent-daemon/package.json:99:6        
@opentelemetry/instrumentation-net           apps/agent-daemon/package.json:100:6       
@opentelemetry/instrumentation-pg            apps/agent-daemon/package.json:101:6       
@opentelemetry/instrumentation-pino          apps/agent-daemon/package.json:102:6       
@opentelemetry/instrumentation-undici        apps/agent-daemon/package.json:103:6       
pino-pretty                                  apps/agent-daemon/package.json:112:6       
@moltnet/models                              apps/console/package.json:11:6             
@moltnet/bootstrap                           apps/mcp-server-e2e/package.json:8:6       
@moltnet/database                            apps/mcp-server-e2e/package.json:10:6      
@moltnet/crypto-service                      apps/mcp-server/package.json:29:6          
@moltnet/entry-explore-mcp-app               apps/mcp-server/package.json:30:6          
@themoltnet/design-system                    apps/mcp-server/package.json:34:6          
@fastify/otel                                apps/mcp-server/package.json:36:6          
@opentelemetry/exporter-metrics-otlp-proto   apps/mcp-server/package.json:38:6          
@opentelemetry/exporter-trace-otlp-proto     apps/mcp-server/package.json:39:6          
@opentelemetry/instrumentation               apps/mcp-server/package.json:40:6          
@opentelemetry/instrumentation-dns           apps/mcp-server/package.json:41:6          
@opentelemetry/instrumentation-http          apps/mcp-server/package.json:42:6          
@opentelemetry/instrumentation-net           apps/mcp-server/package.json:43:6          
@opentelemetry/instrumentation-pino          apps/mcp-server/package.json:44:6          
@opentelemetry/instrumentation-pg            apps/mcp-server/package.json:45:6          
@opentelemetry/instrumentation-runtime-node  apps/mcp-server/package.json:46:6          
@opentelemetry/instrumentation-undici        apps/mcp-server/package.json:47:6          
@opentelemetry/resources                     apps/mcp-server/package.json:48:6          
@opentelemetry/sdk-metrics                   apps/mcp-server/package.json:49:6          
@opentelemetry/sdk-trace-base                apps/mcp-server/package.json:50:6          
@opentelemetry/sdk-trace-node                apps/mcp-server/package.json:51:6          
@opentelemetry/semantic-conventions          apps/mcp-server/package.json:52:6          
pino                                         apps/mcp-server/package.json:56:6          
pino-opentelemetry-transport                 apps/mcp-server/package.json:57:6          
thread-stream                                apps/mcp-server/package.json:58:6          
@huggingface/transformers                    apps/rest-api/package.json:33:6            
@opentelemetry/exporter-metrics-otlp-proto   apps/rest-api/package.json:53:6            
@opentelemetry/instrumentation               apps/rest-api/package.json:55:6            
@opentelemetry/resources                     apps/rest-api/package.json:63:6            
@opentelemetry/sdk-metrics                   apps/rest-api/package.json:64:6            
@opentelemetry/sdk-trace-base                apps/rest-api/package.json:65:6            
@opentelemetry/sdk-trace-node                apps/rest-api/package.json:66:6            
@opentelemetry/semantic-conventions          apps/rest-api/package.json:67:6            
multiformats                                 apps/rest-api/package.json:74:6            
pino-pretty                                  apps/rest-api/package.json:77:6            
thread-stream                                apps/rest-api/package.json:78:6            
@noble/hashes                                libs/context-pack-service/package.json:19:6
typebox                                      libs/sdk/package.json:44:6                 
tslib                                        package.json:149:6                         
@earendil-works/pi-ai                        tools/package.json:22:6                    
@earendil-works/pi-coding-agent              tools/package.json:23:6                    
@moltnet/auth                                tools/package.json:25:6                    
@moltnet/models                              tools/package.json:32:6                    
@themoltnet/agent-runtime                    tools/package.json:36:6                    
@themoltnet/pi-extension                     tools/package.json:38:6                    
drizzle-orm                                  tools/package.json:41:6                    
fastq                                        tools/package.json:42:6                    
�[93m�[4mUnused devDependencies�[24m�[39m (35)
@moltnet/bootstrap          apps/agent-daemon/package.json:115:6        
@moltnet/crypto-service     apps/agent-daemon/package.json:116:6        
@moltnet/bootstrap          apps/console/package.json:21:6              
@moltnet/crypto-service     apps/console/package.json:22:6              
@moltnet/database           apps/console/package.json:23:6              
@themoltnet/sdk             apps/console/package.json:24:6              
@playwright/test            apps/console/package.json:26:6              
@moltnet/bootstrap          apps/mcp-server/package.json:61:6           
@moltnet/database           apps/mcp-server/package.json:62:6           
@moltnet/mcp-test-harness   apps/mcp-server/package.json:63:6           
@modelcontextprotocol/sdk   apps/mcp-server/package.json:64:6           
drizzle-orm                 apps/mcp-server/package.json:65:6           
pino-pretty                 apps/mcp-server/package.json:66:6           
@moltnet/api-client         apps/rest-api/package.json:84:6             
@moltnet/bootstrap          apps/rest-api/package.json:85:6             
@themoltnet/sdk             libs/agent-eval/package.json:20:6           
vitest                      libs/bootstrap/package.json:24:6            
@moltnet/crypto-service     libs/context-distill/package.json:17:6      
@moltnet/database           libs/context-distill/package.json:18:6      
@testcontainers/postgresql  libs/context-distill/package.json:19:6      
drizzle-orm                 libs/context-distill/package.json:20:6      
pg                          libs/context-distill/package.json:21:6      
@types/pg                   libs/context-distill/package.json:22:6      
@moltnet/api-client         libs/cpp-sdk/package.json:7:6               
@moltnet/bootstrap          libs/cpp-sdk/package.json:8:6               
@themoltnet/sdk             libs/cpp-sdk/package.json:9:6               
testcontainers              libs/diary-service/package.json:29:6        
@testing-library/react      libs/entry-explore-mcp-app/package.json:30:6
vitest                      libs/mcp-test-harness/package.json:22:6     
@nx/devkit                  package.json:74:6                           
@swc/helpers                package.json:86:6                           
husky                       package.json:96:6                           
lint-staged                 package.json:101:6                          
vite-plugin-dts             package.json:109:6                          
@types/figlet               tools/package.json:51:6                     
�[93m�[4mReferenced optional peerDependencies�[24m�[39m (1)
ink  libs/design-system/package.json
�[93m�[4mUnlisted dependencies�[24m�[39m (2)
@moltnet/database  evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/governance.e2e.test.ts:19:46
pg                 libs/diary-service/__tests__/diary-service.dbos.integration.test.ts:38:27                
�[93m�[4mUnlisted binaries�[24m�[39m (9)
python3                                             .github/workflows/ci.yml     
clawhub                                             .github/workflows/release.yml
gofmt                                               .lintstagedrc.mjs            
cmake                                               libs/cpp-sdk/project.json    
ctest                                               libs/cpp-sdk/project.json    
go                                                  package.json                 
gofmt                                               package.json                 
packages/openclaw-skill/scripts/publish-clawhub.sh  package.json                 
packages/openclaw-skill/scripts/package.sh          package.json                 
�[93m�[4mUnused exports�[24m�[39m (117)
COMMON_REQUIRED_FLAGS                                       apps/agent-daemon/src/lib/help.ts:3:14                      
COMMON_OPTIONAL_FLAGS                                       apps/agent-daemon/src/lib/help.ts:11:14                     
getDaemonRuntimeContext                           function  apps/agent-daemon/src/lib/runtime-context.ts:24:17          
buildDaemonSlotId                                 function  apps/agent-daemon/src/lib/task-execution-plan.ts:97:17      
ENTRY_TYPE_LABELS                                           apps/console/src/diaries/utils.ts:14:3                      
ENTRY_TYPES                                                 apps/console/src/diaries/utils.ts:15:3                      
estimateTokenCount                                          apps/console/src/diaries/utils.ts:16:3                      
formatDateTime                                              apps/console/src/diaries/utils.ts:17:3                      
ENTRY_TYPE_OPTIONS                                          apps/console/src/diaries/utils.ts:21:14                     
getEntryTypeQuery                                 function  apps/console/src/diaries/utils.ts:29:17                     
MOBILE_BREAKPOINT                                           apps/console/src/hooks/useIsMobile.ts:3:14                  
TABLET_BREAKPOINT                                           apps/console/src/hooks/useIsMobile.ts:4:14                  
groupTasksByLane                                            apps/console/src/tasks/status.ts:25:3                       
statusToLane                                                apps/console/src/tasks/status.ts:26:3                       
TASK_LANES                                                  apps/console/src/tasks/status.ts:27:3                       
consoleCorrelationUrl                             function  apps/issue-lifecycle/src/status-comment.ts:36:17            
consoleAttemptUrl                                 function  apps/issue-lifecycle/src/status-comment.ts:48:17            
outputState                                       function  apps/issue-lifecycle/src/test-fakes.ts:41:17                
API_BASE_URL                                                apps/landing/src/api.ts:16:14                               
handleDiaryTags                                   function  apps/mcp-server/src/diary-tools.ts:315:23                   
handleGrantCreate                                 function  apps/mcp-server/src/grant-tools.ts:38:23                    
handleGrantRevoke                                 function  apps/mcp-server/src/grant-tools.ts:70:23                    
handleGrantList                                   function  apps/mcp-server/src/grant-tools.ts:102:23                   
handlePacksUpdate                                 function  apps/mcp-server/src/pack-tools.ts:319:23                    
handleRenderedPacksUpdate                         function  apps/mcp-server/src/pack-tools.ts:409:23                    
handlePacksDiff                                   function  apps/mcp-server/src/pack-tools.ts:511:23                    
EntryMapZoneSearchSchema                                    apps/mcp-server/src/schemas/entry-explore-schemas.ts:9:14   
EntryMapZoneProvenanceSchema                                apps/mcp-server/src/schemas/entry-explore-schemas.ts:24:14  
EntryMapZoneSchema                                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:47:14  
EntryMapDataSchema                                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:88:14  
CustomPackEntrySelectionSchema                              apps/mcp-server/src/schemas/pack-schemas.ts:107:14          
handleTasksContinue                               function  apps/mcp-server/src/task-tools.ts:177:23                    
handleTeamsList                                   function  apps/mcp-server/src/team-tools.ts:62:23                     
handleTeamMembersList                             function  apps/mcp-server/src/team-tools.ts:84:23                     
handleTeamsCreate                                 function  apps/mcp-server/src/team-tools.ts:109:23                    
handleTeamsJoin                                   function  apps/mcp-server/src/team-tools.ts:132:23                    
handleTeamsDelete                                 function  apps/mcp-server/src/team-tools.ts:155:23                    
handleTeamsInviteCreate                           function  apps/mcp-server/src/team-tools.ts:178:23                    
handleTeamsInviteList                             function  apps/mcp-server/src/team-tools.ts:211:23                    
handleTeamsInviteDelete                           function  apps/mcp-server/src/team-tools.ts:236:23                    
handleTeamsMemberRemove                           function  apps/mcp-server/src/team-tools.ts:264:23                    
DATABASE_URL                                                apps/rest-api-e2e/src/setup.ts:54:3                         
HYDRA_ADMIN_URL                                             apps/rest-api-e2e/src/setup.ts:55:3                         
KETO_READ_URL                                               apps/rest-api-e2e/src/setup.ts:57:3                         
KETO_WRITE_URL                                              apps/rest-api-e2e/src/setup.ts:58:3                         
KRATOS_ADMIN_URL                                            apps/rest-api-e2e/src/setup.ts:59:3                         
ServerConfigSchema                                          apps/rest-api/src/config.ts:27:14                           
DatabaseConfigSchema                                        apps/rest-api/src/config.ts:39:14                           
WebhookConfigSchema                                         apps/rest-api/src/config.ts:44:14                           
RecoveryConfigSchema                                        apps/rest-api/src/config.ts:48:14                           
OryConfigSchema                                             apps/rest-api/src/config.ts:52:14                           
ObservabilityConfigSchema                                   apps/rest-api/src/config.ts:63:14                           
RuntimeSessionStorageConfigSche…                            apps/rest-api/src/config.ts:131:14                          
TaskArtifactStorageConfigSchema                             apps/rest-api/src/config.ts:149:14                          
EmbeddingConfigSchema                                       apps/rest-api/src/config.ts:165:14                          
SecurityConfigSchema                                        apps/rest-api/src/config.ts:172:14                          
loadEmbeddingConfig                               function  apps/rest-api/src/config.ts:380:17                          
loadPackGcConfig                                  function  apps/rest-api/src/config.ts:390:17                          
loadTaskOrphanSweeperConfig                       function  apps/rest-api/src/config.ts:400:17                          
loadTaskArtifactStorageConfig                     function  apps/rest-api/src/config.ts:420:17                          
acceptsProblemJson                                          apps/rest-api/src/problems/index.ts:2:3                     
findProblemTypeByCode                                       apps/rest-api/src/problems/index.ts:9:3                     
findProblemTypeByStatus                                     apps/rest-api/src/problems/index.ts:10:3                    
getTypeUri                                                  apps/rest-api/src/problems/index.ts:11:3                    
problemTypes                                                apps/rest-api/src/problems/index.ts:13:3                    
DiaryTagCountSchema                                         apps/rest-api/src/schemas/diary.ts:58:14                    
PublicAuthorSchema                                          apps/rest-api/src/schemas/diary.ts:123:14                   
ContextPackEntrySchema                                      apps/rest-api/src/schemas/packs.ts:9:14                     
TaskActivityAnalyticsGroupBySch…                            apps/rest-api/src/schemas/tasks.ts:185:14                   
TaskActivityProductMetricsSchema                            apps/rest-api/src/schemas/tasks.ts:360:14                   
TaskTypeDescriptorSchema                                    apps/rest-api/src/schemas/tasks.ts:497:14                   
serializeRuntimeWorkspace                         function  apps/rest-api/src/services/runtime-slots.ts:171:17          
inflateRowCreator                                 function  apps/rest-api/src/utils/auth-principal.ts:142:23            
resolvePrincipal                                            apps/rest-api/src/utils/auth-principal.ts:191:10            
HumanOnboardingError              WorkflowExpor…  class     …s/rest-api/src/workflows/human-onboarding-workflow.ts:36:14
diaryTransferWorkflow             WorkflowExpor…            apps/rest-api/src/workflows/index.ts:4:3                    
TRANSFER_DECISION_EVENT           WorkflowExpor…            apps/rest-api/src/workflows/index.ts:7:3                    
HumanOnboardingError              WorkflowExpor…            apps/rest-api/src/workflows/index.ts:12:3                   
DEFAULT_WORKFLOW_TIMEOUT_MS       WorkflowExpor…            apps/rest-api/src/workflows/index.ts:46:3                   
runWorkflow                       WorkflowExpor…            apps/rest-api/src/workflows/index.ts:47:3                   
FOUNDING_ACCEPT_EVENT             WorkflowExpor…            apps/rest-api/src/workflows/index.ts:51:3                   
TeamFoundingTimeoutError          WorkflowExpor…            apps/rest-api/src/workflows/index.ts:57:3                   
teamFoundingWorkflow              WorkflowExpor…            apps/rest-api/src/workflows/index.ts:58:3                   
DEFAULT_WORKFLOW_TIMEOUT_MS       WorkflowExpor…            apps/rest-api/src/workflows/run-workflow.ts:14:14           
runWorkflow                       WorkflowExpor…  function  apps/rest-api/src/workflows/run-workflow.ts:33:23           
TeamFoundingTimeoutError          WorkflowExpor…  class     apps/rest-api/src/workflows/team-founding-workflow.ts:32:14 
DEFAULT_E2E_REST_API_URL                                    libs/bootstrap/src/e2e-harness.ts:26:14                     
DEFAULT_E2E_DATABASE_URL                                    libs/bootstrap/src/e2e-harness.ts:27:14                     
DEFAULT_E2E_HYDRA_PUBLIC_URL                                libs/bootstrap/src/e2e-harness.ts:29:14                     
DEFAULT_E2E_HYDRA_ADMIN_URL                                 libs/bootstrap/src/e2e-harness.ts:30:14                     
DEFAULT_E2E_KETO_READ_URL                                   libs/bootstrap/src/e2e-harness.ts:31:14                     
DEFAULT_E2E_KETO_WRITE_URL                                  libs/bootstrap/src/e2e-harness.ts:32:14                     
DEFAULT_E2E_KRATOS_ADMIN_URL                                libs/bootstrap/src/e2e-harness.ts:33:14                     
DEFAULT_E2E_AGENT_SCOPES                                    libs/bootstrap/src/e2e-harness.ts:34:14                     
DBOSWorkflowConflictError                                   libs/database/src/dbos.ts:154:3                             
MAX_PUBLIC_CONTENT_LENGTH                                   libs/diary-service/src/diary-service.ts:51:14               
nextStepId                                        function  libs/entry-explore-mcp-app/src/state/map.ts:117:17          
DEFAULT_TASK_ARTIFACT_MAX_BYTES                             …node-red-contrib-core/src/nodes/task-artifact-utils.ts:9:14
resolveTaskId                                     function  …ode-red-contrib-core/src/nodes/task-artifact-utils.ts:26:17
resolveTeamId                                     function  …ode-red-contrib-core/src/nodes/task-artifact-utils.ts:39:17
resolveAttemptN                                   function  …ode-red-contrib-core/src/nodes/task-artifact-utils.ts:53:17
resolveOverride                                   function  libs/node-red-contrib-core/src/nodes/task-builder.ts:118:17 
abortError                                        function  libs/pi-extension/src/abort-utils.ts:9:17                   
resolveTaskScratchPath                            function  libs/pi-extension/src/runtime/task-workspace.ts:130:17      
GUEST_TASK_SKILLS_MOUNT                                     libs/pi-extension/src/vm-manager.ts:42:14                   
DELETE_ELIGIBLE_STATUSES                                    libs/task-service/src/task-service.shared.ts:15:14          
LIVE_STATUSES                                               libs/task-service/src/task-service.shared.ts:19:14          
HIGH_FRICTION_TURNS                                         libs/task-ui/src/analytics/constants.ts:13:14               
HIGH_FRICTION_FAILED_TOOL_CALLS                             libs/task-ui/src/analytics/constants.ts:14:14               
makeClient                                        function  packages/legreffier-cli/src/api.ts:78:17                    
formatPortIssues                                  function  packages/legreffier-cli/src/phases/portValidate.ts:213:17   
main                                              function  tools/src/release/go-artifact-publisher.cli.ts:106:23       
printGoArtifactReleasePlan                        function  tools/src/release/go-artifact-publisher.ts:531:17           
readText                                          function  tools/src/release/go-version-actions.ts:43:17               
readGoModulePath                                  function  tools/src/release/go-version-actions.ts:47:17               
resolveGoReleaseValidationRoots                   function  tools/src/release/go-version-actions.ts:200:17              
default                                           class     tools/src/release/go-version-actions.ts:731:22              
�[93m�[4mUnused exported types�[24m�[39m (68)
PiAgentDirSource                               type       apps/agent-daemon/src/lib/pi-agent-dir.ts:4:13                
MailRecord                                     interface  apps/console-e2e/src/helpers/mailslurper.ts:3:18              
GroupedTasks                                   type       apps/console/src/tasks/status.ts:24:8                         
TaskLane                                       type       apps/console/src/tasks/status.ts:28:8                         
TaskLaneId                                     type       apps/console/src/tasks/status.ts:29:8                         
UiResourceData                                 interface  apps/mcp-host/src/implementation.ts:25:18                     
EntryMapZoneSearch                             type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:22:13    
EntryMapZone                                   type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:86:13    
CorsPluginOptions                              interface  apps/rest-api/src/plugins/cors.ts:11:18                       
RateLimitPluginOptions                         interface  apps/rest-api/src/plugins/rate-limit.ts:19:18                 
ProblemType                                    type       apps/rest-api/src/problems/index.ts:12:8                      
AgentPrincipal                                 type       apps/rest-api/src/schemas/principal.ts:37:8                   
HumanPrincipal                                 type       apps/rest-api/src/schemas/principal.ts:39:8                   
PrincipalIdentity                              type       apps/rest-api/src/schemas/principal.ts:41:8                   
RuntimeSlotSubject                             interface  apps/rest-api/src/services/runtime-slots.ts:33:18             
CreateTaskInput                                type       apps/rest-api/src/services/task.service.ts:2:8                
AuthContext                                    type       apps/rest-api/src/types.ts:14:3                               
RelationshipReader                             type       apps/rest-api/src/types.ts:16:3                               
RelationshipWriter                             type       apps/rest-api/src/types.ts:17:3                               
RuntimeSessionStorage                          type       apps/rest-api/src/types.ts:45:15                              
TaskAnalyticsService                           type       apps/rest-api/src/types.ts:46:15                              
TaskArtifactStorage                            type       apps/rest-api/src/types.ts:47:15                              
DiaryTransferDeps              WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:2:8                      
DiaryTransferResult            WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:3:8                      
TransferDecision               WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:8:8                      
HumanOnboardingDeps            WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:11:8                     
HumanOnboardingResult          WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:13:8                     
LegreffierOnboardingDeps       WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:24:8                     
MaintenanceDeps                WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:33:8                     
RegistrationDeps               WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:38:8                     
RegistrationResult             WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:39:8                     
RunWorkflowOptions             WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:48:8                     
FoundingMember                 WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:52:8                     
TeamFoundingDeps               WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:55:8                     
TeamFoundingResult             WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:56:8                     
TaskDeletionWorkflowInput      WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:62:8                     
TaskDeletionWorkflowResult     WorkflowExpor…  type       apps/rest-api/src/workflows/index.ts:63:8                     
TaskDeletionWorkflowInput                      type       apps/rest-api/src/workflows/maintenance.ts:41:8               
TaskDeletionWorkflowResult                     type       apps/rest-api/src/workflows/maintenance.ts:42:8               
RunWorkflowOptions             WorkflowExpor…  interface  apps/rest-api/src/workflows/run-workflow.ts:21:18             
AdoptionState                                  interface  docs/.vitepress/theme/auth/useAdoption.ts:38:18               
AdoptionStageKey                               type       docs/.vitepress/theme/auth/useAdoption.ts:285:13              
AdoptionStage                                  interface  docs/.vitepress/theme/auth/useAdoption.ts:293:18              
DocsTeam                                       interface  docs/.vitepress/theme/auth/useTeamSelection.ts:9:18           
SessionResolverLogger                          interface  libs/auth/src/session-resolver.ts:24:18                       
GroupCreator                                   interface  libs/database/src/repositories/group.repository.ts:16:18      
RuntimeWorkspaceKind                           type       …bs/database/src/repositories/runtime-slot.repository.ts:15:13
EntriesListArgs                                interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:22:18    
EntriesSearchArgs                              interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:32:18    
DiaryTagsArgs                                  interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:44:18    
EntriesGetArgs                                 interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:51:18    
PacksCreateArgs                                interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:57:18    
PacksUpdateArgs                                interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:65:18    
PacksProvenanceArgs                            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:71:18    
CommandRegistrar                               type       libs/pi-extension/src/commands/index.ts:5:3                   
SessionMeta                                    type       libs/pi-extension/src/commands/index.ts:7:3                   
SubmitMissingRepromptEvent                     interface  libs/pi-extension/src/runtime/execute-pi-task.ts:2026:18      
RateLimitRetryOptions                          type       libs/sdk/src/retry.ts:5:15                                    
TaskArtifactAttemptInput                       interface  libs/task-artifact-service/src/task-artifacts.ts:62:18        
TaskListInput                                  interface  libs/task-service/src/task-query.service.ts:17:18             
SuccessCriteriaRubricCriteri…                  interface  libs/task-ui/src/success-criteria.ts:80:18                    
RubricTemplate                                 interface  libs/task-ui/src/success-criteria.ts:123:18                   
AgentAdapter                                   type       packages/legreffier-cli/src/adapters/index.ts:13:15           
AgentAdapterOptions                            type       packages/legreffier-cli/src/adapters/index.ts:13:29           
ResolveInstallationStatus                      type       …ges/legreffier-cli/src/phases/portResolveInstallation.ts:6:13
VerifyInstallationStatus                       type       …ages/legreffier-cli/src/phases/portVerifyInstallation.ts:4:13
InitPhase                                      type       packages/legreffier-cli/src/state.ts:4:13                     
GoArtifactBuildStep                            type       tools/src/release/go-artifact-publisher.ts:74:13              
�[93m�[4mDuplicate exports�[24m�[39m (1)
GUEST_TASK_CONTEXT_MOUNT|GUEST_TASK_SKILLS_MOUNT  libs/pi-extension/src/vm-manager.ts
�[93m�[4mUnused catalog entries�[24m�[39m (4)
@anthropic-ai/claude-agent-sdk  default  pnpm-workspace.yaml:25:4 
@fastify/static                 default  pnpm-workspace.yaml:37:4 
@openai/codex-sdk               default  pnpm-workspace.yaml:62:4 
zod                             default  pnpm-workspace.yaml:153:3
�[33m�[4mConfiguration hints�[24m (6)�[39m
. �[90m(root)�[39m                      …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["."]�[90m (16 unused files)�[39m  
tools                         …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["tools"]�[90m (15 unused fil…�[39m
apps/rest-api                 …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/rest-api"]�[90m (4 unu…�[39m
apps/mcp-host                 …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/mcp-host"]�[90m (2 unu…�[39m
libs/task-ui                  …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["libs/task-ui"]�[90m (2 unus…�[39m
e2e/**/*.ts     …ps/rest-api  …p.config.ts  �[90mRefine �[97mentry�[90m pattern (no matches)�[39m                                           
 ELIFECYCLE  Command failed with exit code 1.

@legreffier legreffier Bot force-pushed the issue-1588-evals-test-agent-runtime-prompt branch from edd6ddb to 7b6625e Compare July 10, 2026 10:38
@getlarge getlarge marked this pull request as ready for review July 10, 2026 10:42
@legreffier

legreffier Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Complexity Review Judgment

Composite Score: 1.0/1.0
Verdict: PASS

  • cognitive_load: Pass. Single-purpose addition of a well-structured eval harness. Clear separation of concerns.
  • blast_radius: Pass. Change is almost entirely additive; no modifications to core public contracts or shared utilities.
  • test_coverage_delta: Pass. Extensive unit test suite for the new library and a corpus guard test.
  • security_surface: Pass. No changes to security-sensitive paths.
  • reviewer_orientation: Pass. Exceptionally detailed PR description providing clear intent and verification guidance.

Rationale:
The PR introduces a deterministic-first evaluation harness () for agent-runtime prompts. The design is coherent, the implementation is isolated from core runtime logic, and the documentation is thorough. The 'anti-inception' layer (deterministic gates) is a key design highlight that ensures the eval's integrity. Reviewer burden is minimal due to the additive nature of the change and the high quality of the provided context.

legreffier Bot added 5 commits July 10, 2026 15:43
The @moltnet/agent-eval lib: scenario reader, run_eval/judge_eval_attempt
input builders (rubric hidden from producer), the stage-1 checkGates
deterministic evaluator, and shared Pi-config helpers extracted from the
live-ollama e2e test. 25 unit tests, no LLM dependency.

Foundation for the agent-runtime prompt eval harness (#1588).

MoltNet-Diary: 0c348d10-0bfe-45b6-9255-c71cc6c24576
Task-Group: agent-eval-harness
Task-Family: feature
submit-output-compliance and prompt-assembly-integrity (pure-gate),
instruction-following-bullets (exercises the pinned judge rubric), and
tool-use-artifact-upload (requireToolCalls gate under shared_mount). A
corpus test parses every scenario so malformed ones fail CI.

MoltNet-Diary: dd78066d-3b8a-447e-bdb5-7267227dcb58
Task-Group: agent-eval-harness
live-ollama-evals.e2e.test.ts runs the evals-v2 corpus against one pinned
Ollama Cloud model and asserts deterministic gates only (no judge) — the
per-PR regression tripwire. Refactors live-ollama.e2e.test.ts to use the
shared writeAgentCredentials/writePiConfig from @moltnet/agent-eval.

MoltNet-Diary: b37e089b-3bab-4b1e-ac74-05bff453b8e6
Task-Group: agent-eval-harness
runMatrix sweeps (model x scenario), gating the pinned-model judge behind
stage-1 deterministic gates (gate fail => composite 0, judge skipped).
eval-matrix-runner.ts wires the live effects and writes score-matrix.json,
sequencing producer then judge via runOnce (warm slot is DB-backed, so it
survives across calls). 4 orchestration unit tests; judge leg deferred to
a live run.

MoltNet-Diary: a87690d3-f426-4160-aef1-0b44dd255a3c
Task-Group: agent-eval-harness
eval-matrix.yml sweeps the evals-v2 corpus across N Ollama Cloud models on
a schedule + workflow_dispatch, using :ci-main images, and uploads
score-matrix.json. Not per-PR (exceeds the 15-min budget). Also aligns the
runner default models to the maintained .pi/models.json list (the previous
defaults were retired).

MoltNet-Diary: 51d57f47-e446-427f-a116-878c95ee95cf
Task-Group: agent-eval-harness
@legreffier legreffier Bot force-pushed the issue-1588-evals-test-agent-runtime-prompt branch from 7b6625e to 8f2024b Compare July 10, 2026 13:43
@legreffier

legreffier Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

⏸️ Parked — pending runtime-prompt preset design

This draft is intentionally parked. The runtime prompt is being reworked so that it is no longer hardcoded in buildRuntimeInstructor() / the per-task-type builders, but instead lives in a versioned preset carried by the (now-required) runtime profile — letting the operator choose which prompt/skills/context are loaded by default, and letting those presets be versioned and tested independently.

That reshapes the eval's variable under test: from "model, against a fixed hardcoded prompt" → "preset (± model)". Fixing the scenario prompts now would be throwaway, so scenario calibration is on hold until the preset shape lands.

What stays valid (preset-agnostic, keep warm)

  • libs/agent-eval — the reader, input builders, checkGates deterministic evaluator, and runMatrix orchestration core. 34 unit tests.
  • The gate/judge design (deterministic gates → pinned-model judge). The anti-inception rationale is unchanged.
  • The 4 evals-v2 scenarios test behavior (submit compliance, prompt assembly, instruction-following, tool-use), which is preset-agnostic.

What will need retargeting once presets exist

  • The matrix runner's sweep axis → preset × model (small change; the gate/judge core is untouched).
  • requirePromptSections gates become "did the preset assemble the sections it claims?" — more useful, not obsolete.
  • score-matrix.json gains a preset-version dimension so "preset v1 vs v2" is a first-class comparison.

Known-broken (expected, not a harness bug)

The one failing CI job (E2E Tests (Agent Daemon)) is the live gate smoke: all 4 producers failed the submit_run_eval_output contract (totalTokens/durationMs/verification type/shape errors). The gate layer caught this correctly — it is a scenario-prompt calibration issue (and a runtime-prompt one), which is exactly what will be revisited as "preset v1" once the preset design lands.

No action needed on this PR until the preset work is further along.

@getlarge getlarge marked this pull request as draft July 12, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Evals: test the agent runtime prompt across Ollama Cloud models (regression + progress)

1 participant