Changelog
All notable changes to the Graphorin framework are documented in this file. The format follows Keep a Changelog; the project follows Semantic Versioning (pre-1.0: minor bumps may carry breaking changes; patch bumps do not).
Per-package changelogs live in each package's CHANGELOG.md.
Publication note. Versions
0.1.0-0.4.0were lockstep version milestones developed in the open; public npm publication of the@graphorinscope (with Sigstore build provenance) begins with0.5.0.
0.7.0 - 2026-07-07
The third framework-wide remediation release - all six waves of the 2026-07-05 project review of v0.6.1 (157 findings, a 151-work-item plan across 16 clusters). Headlines: durable HITL now composes across the sub-agent boundary, workflow timers fire on their own, session hard-delete erases everything session-scoped, the server prunes derived data by default, CommonJS consumers can plain require() every package (Node floor 22.12), and zod 4 consumers typecheck. Per-package details live in each package's CHANGELOG.md; upgrade notes are in the migration guide (documentation/guide/migration.md).
Security & data flow
- Untrusted-content envelopes can no longer be spoofed or escaped:
wrapEnvelopeneutralizes embedded<<<untrusted_content>>>delimiters, the memory consolidation + compaction prompts delimit stored memory text as data the same way, a newuntrusted-content-delimiter-injectionredaction pattern turns break-out attempts into an audit signal, and MCPisErrortext plus tool-schema annotations (the tool-poisoning class) are sanitized at the boundary. - The Rule-of-Two
untrustedInputleg is actually enforced (a profile that gives the leg up now forbids untrusted-source tools), the dataflow sink gate inspects post-repair arguments, spill handles are run-scoped with taint sidecars unreadable throughread_result, cross-page imperative payloads are caught at spill time, andcontainsPiisees through Unicode obfuscation. - Server auth is attenuation-only and symmetric:
POST /v1/tokensrefuses to mint scopes the minter's own grant does not cover; session REST/SSE reads honour per-resource scopes; run control binds to the run's owning agent/workflow; a malformed/streambody answers 400 instead of silently burning tokens; WS replay frames pass the same sanitizer as live delivery. - Audit chain: cross-process fencing for append + prune, the
audit.ciphersetting is finally honoured (default pinnedchacha20),pruneAuditsurvives the real driver and prompts re-anchoring, the skill trust root'spublishersleg is cryptographically bound to the key-serving domain, and security-relevant tool events flow into the tamper-evident audit log by default (audit.toolEvents).
Memory pipeline
- Consolidation stops silently losing facts: truncated (
finishReason: 'length') extractions split-and-retry or salvage the complete prefix, over-budget transcripts split before the provider call, a poison slice can no longer wedge the cursor forever (bounded skip), DLQ slice-capture is per-scope, and completion accounting is exception-safe (no more stuck scope locks). - Supersede keeps knowledge visible: while a quarantined successor awaits validation the old fact stays recall-visible; quarantined insights no longer pass-decay before review; compaction summary-trust fails closed on scanner timeout.
- Retrieval: construction-time
searchDefaultsbring the advanced stack (multi-query, HyDE, graph expansion, fusion tuning) tofact_search, auto-recall anddeep_recall; the trust discount applies before the final top-k cut; HyDE honoursincludeSuperseded/owner; multi-query fan-out embeds in one batch; the iterative-retrieval difficulty gate is tunable. - Scope-guarded mutators:
forget,setStatus,archive,purgeandmarkAccessedaccept a scope and no-op on foreign ids, symmetric with the read-side isolation.
Workflow durability
- Durable timers fire without user polling code: suspended checkpoints carry
wakeAt(migration 032),createTimerDriverticks due threads, and the server binds it as a lifecycle daemon reported on/v1/health. - Replay is safer: positional
pause()replay detects divergence (typedpause-replay-divergence), the JSON-safety gate covers pause / approval /Dispatch/ directive values,maxStepscaps per invocation (with an opt-inmaxTotalStepslifetime quota), and the docs stop calling side effects exactly-once (journaled channel writes replay once; effects are at-least-once). - The HTTP workflow surface exposes every durable primitive: named awakeable
resume,retry,tick, a realfork, per-threaddeleteThreaderasure, and machine-readable failurecodes on the wire.
Agent runtime & HITL
- Durable HITL composes across the sub-agent boundary: a handoff or
toToolchild suspending on an approval-gated tool parks on the parent (RunState.pendingSubRuns) instead of failing the run; decisions route on a composite key, the granted call executes exactly once, and nested parks recurse - serialized snapshots carry children version-stamped and secret-redacted. - Delegated usage folds into the parent's accounting,
currentAgentIdis restored after a handoff, step numbers stay monotonic across suspend/resume, and theonPendingApprovalsabort policy is reachable and consistent ('fail'only when approvals are actually pending). - One trace tree with child transparency: the new
subagent.eventforwards child lifecycle events perforwardEvents, and handoff/toToolruns parent under the live step span. - Thinking-block signatures round-trip (new
reasoning-endprovider event), so multi-step tool use with Anthropic extended thinking replays each block byte-equal;RunContext.statebecomes a read-only projection;AnyTooland the exportedHandoffEntryend the collection-seam casts.
Storage & retention
- The server prunes derived data by default: a unified retention sweep (every 6 hours) deletes spans (30 d), consolidator run counters (90 d), exhausted DLQ batches (30 d) and expired idempotency records; primary content (sessions, audit, memory history, workflow threads) stays strictly opt-in;
retention: { enabled: false }disables it. - Hard-delete means hard-delete: session deletion erases every session-scoped surface via the schema-gated
SESSION_SCOPED_PURGESregistry (facts, insights, spans, working blocks) plus suspended-run checkpoints (migration 029). - Reachable retention levers:
pruneSpansand a realgraphorin traces prune(previously a no-op against a phantom table),graphorin memory prune-history, checkpointpruneThreads/compactThread, an opt-in agentcheckpointPolicy: 'delete-on-terminal', consolidatordlq-list/dlq-clear, andgraphorin storage compact(incremental vacuum, FTS-safe). - Concurrency + integrity: a migration-runner TOCTOU fence, read-only CLI commands stop auto-migrating live databases, a data-repair preflight on migration 022, typed
SqliteBusyError,encryptDatabase({ swap: true })refuses under a live writer,Float32Arrayviews serialize correctly, andrules_ftsjoins the FTS integrity guard. The schema advances to migration 032.
MCP & tools
- MCP server identity is transport-derived - a server renaming itself can no longer mint fresh TOFU pins or claim a trusted handle scope; the pin lifecycle covers post-approval tool additions (rejected by default;
'accept-and-update'for legitimate catalogue changes); the newcreateManagedMCPClientsurvives dead transports and re-screens the catalogue on reconnect. - The ReDoS guard rejects the alternation-overlap family, SDK error classification is code-based (server-controlled text cannot forge timeout/cancel classes), and operator side-effect-class downgrades are visible (WARN +
downgradedTools). - Executor honesty: an inline timeout actually aborts the tool (and stops inviting unsafe retries of side-effecting calls), the
ToolReturnenvelope gains a symbol brand (extra result fields reach the model instead of being silently stripped), auto-prefix collision losers are always renamed or observably suppressed, streaming aggregation is bounded (8 MiB default), and tool discovery/grading is comment-aware. - Tools/MCP counters land on
/v1/metricsas Prometheus series.
Provider adapters, pricing & observability
- Streaming provider errors join the canonical taxonomy: a pre-content 429/500/529 throws a typed retryable
ProviderHttpError(retry and fallback finally engage on streaming steps); a mid-stream error classifies and finishes asfinishReason: 'error'. - Local adapters put images on the wire (
capabilities.multimodal) and warn instead of silently dropping parts;llamaCppNodeAdapterspeaks real chat history with an opt-in persistent session;withRateLimitgains atokensPerMinutebudget. graphorin pricing refreshworks against the published@pydantic/genai-pricesdataset, theCost.amountunits contract is pinned (whole currency units), andCostTrackertracks prompt-cache legs under bounded memory.- Per-type sampling rules finally thin child spans, span events carry sensitivity tiers (
recordExceptionexportsexception.type), and the phantom@opentelemetry/*peers are gone - with them theERESOLVEtrap of the stale caret pins.
Server, wire & clients
- Binary payloads survive the wire: run-state schema 1.2 with
WireRunState/WireMessagecodecs (an image in a run checkpointed atawaiting_approvalno longer corrupts on resume) and JSON-safeWireAgentEventprojections on the server WS path. - The WS replay buffer is TTL-pruned (memory-leak fix), the client's per-subscription queue is bounded (typed
flow-overflow), and a WS-to-SSE fallback closes unresumable subscriptions deterministically instead of hanging them.
CLI
--jsonmode honours exit codes (a broken audit hash chain no longer exits 0),graphorin initstops printing a dead bootstrap token and walks the real pepper ->migrate->token createpath (stdin, never argv), help text stops promising unimplemented persistence, and thecheck-cli-docsgate now validates required options.
Packaging, types & release pipeline
- Node floor 22.12; CommonJS consumers can plain
require()every package - export maps moved from theimportcondition todefault(stablerequire(esm)), gated by attwnode16and a require-smoke against packed tarballs. - zod ^4 actually typechecks at
skipLibCheck: false(theZodLikeErrorshim widens toPropertyKey; shipped d.ts no longer bake concrete zod v3 generics). Phantom workspace dependencies are removed, every package declaressideEffects, tarballs shipsrc/so declaration maps resolve, and the server's sibling peer floors track the current minor. - The core public API is snapshot-gated (api-extractor report + CI gate), and publishing moves to npm trusted publishing (OIDC) - no long-lived registry token; Sigstore provenance rides the same workflow identity.
Documentation, evals & examples
- LOCOMO / LongMemEval loader fidelity (speaker names rendered, numeric reference answers kept, empty-reference questions skipped), a TSDoc
{@link}sweep behind a validation gate, honesty fixes across READMEs and guides (WorkerPool, HITL event shapes, journal semantics, retention stories), and friendlier lint:no-implicit-network-callscopes to@graphorin/packages by default andno-secret-unwrapgains anallowReceiverPatternescape for Zod's.unwrap(). - Doc gates go deny-by-default: snippet typechecking auto-discovers every page, a character-rules gate pins ASCII punctuation,
llms.txtis compact again (the API index moves tollms-api.txt), and the examples' run-direct guard works on Windows.
0.6.1 - 2026-07-05
Patch release.
Fixed
- observability: the default-on
graphorin-tokenredaction pattern was hardcoded to a stalekru_token shape and never matched real framework tokens; it now matches the actualgph_<env>_v1_<entropy>_<crc32>format (deployments with a custom token prefix must register their own pattern).
Changed
- all packages: version constants and version-bearing strings (writer ids, client/server info, OTLP attributes, the build-info metric) now derive from each package's manifest at build time; rendered values are byte-identical at this version. Release bumps no longer edit source, the remaining text surface is rewritten by
pnpm run bump-version -- --sync, and the newcheck-version-consistencyCI gate fails any reintroduced hardcoded framework version.
0.6.0 - 2026-07-05
The second framework-wide audit release - waves A-E of the 2026-07-04 audit (220 findings) - plus a full documentation accuracy + character-rules sweep. Per-package details live in each package's CHANGELOG.md; upgrade notes are in the migration guide (documentation/guide/migration.md).
Security & correctness (waves A-B)
- Tool parameters are real JSON Schema on the provider wire: a structural Zod v3/v4 converter (
@graphorin/tools/schema) replaces serialized validator internals; unprojectable schemas degrade loudly. - Durable HITL resume is exactly-once: an approved call's resume writes a write-ahead intent checkpoint before dispatch and the journaled state after it; stale pre-execution snapshots stay bounded at one re-execution.
- Transcript well-formedness invariant in the step builder, hook-level
allowSensitivity, sessionpurge()cascade,disableRepair,prefixMessagestoken basis, spill-file taint sidecars, superseded-facts-excluded-by-default reads, an emergency compaction tier, IMMEDIATE SQLite transactions + an online backup API, MCP result-handle scoping + ReDoS guards, and theaiv7 provider-contract conversion.
SOTA adopts (wave C)
- Prompt-cache economics end-to-end:
Usagecache read/write legs, the opt-incachePolicybreakpoint anchors, a cache-friendly tool catalogue, and cache-aware cost tracking over a regenerated pricing snapshot. - Recoverable tool-error envelope + transparent bounded retry, the verifier seam, deterministic replay (
recordProviderResponses+createReplayProvider), compaction hardening (preserveUserMessages), trust-aware recall ranking +fitFusionWeights, derived-taint'strict'mode with recall re-arm and MCP TOFU pinning, one-trace-treeagent.run/agent.stepspans, and eval A/B switches with a non-self judge.
Durable runtime (wave D)
- Step-journal workflow durability: durable timers, awakeables, approvals, and compare-and-set checkpoint writes (
CheckpointStore.put({ expectedLatestId })); the'async'durability source is removed. - Sub-agent isolation (read-only capability,
contextFold, taint propagation), memory learned-context / owner / access-counters / runbooks (migrations 026-028), Merkle audit checkpoints + a skill-signing trust root + Progent / Rule-of-Two argument policies, and PPR-lite graph retrieval with entity-match fusion.
Cross-cutting (wave E)
- A ~2000x graph-CTE query-plan fix in the SQLite store's entity expansion, found by the new 100k-fact scale probe (
benchmarks/scale); the latency and memory-sim benchmark gates are armed for real. - Release pipeline: the changesets 1.0.0 peer-escalation landmine defused (ranged internal peers +
onlyUpdatePeerDependentsWhenOutOfRange+ private-package ignore), tarball surface fixes (@graphorin/memory./conflictruntime-empty subpath, per-package CHANGELOG backfill), strictermvp-readinessrelease gates. - Supply chain + CI: SHA-256-pinned eval datasets (
scripts/datasets.lock.json), failure notifications for scheduled workflows, job timeouts everywhere. - Deployment templates fixed against reality (kubectl YAML-1.1 octal
defaultMode, systemdExecReloadremoval, docker config/secrets mounts), the Windowsstorage cleanup-backupsno-op fixed, OTel GenAI span-name alignment, and eval statistics (Wilson intervals, pass^k, McNemar paired significance) attached to every eval summary.
Documentation
- Every authored page re-verified against the code: 40 confirmed drift fixes (fictional
calculateCostexamples, health-check shapes, session-export record kinds, redaction-pattern catalogue, deployment template claims, and more), with the doc gates extended so the drift class cannot silently recur (28 compile-checked snippets, CLI-docs flag validation, anchor-checking lychee in offline file mode). - A character-rules sweep across all markdown, TSDoc, and user-facing strings (ASCII punctuation only), and a new Performance & scale guide (
documentation/guide/performance.md) with measured 100k-fact numbers.
0.5.0 - 2026-06-14
A framework-wide audit-remediation release - waves 0-4 of a 301-finding security + correctness audit - plus SOTA adopts across memory, tools, and the agent runtime. This is the first release published to the npm registry.
Security & correctness
- Closed actively-exploitable holes: code-mode
process.envexfiltration, the model-driven memory-quarantine bypass, object tool-outputs bypassing truncation + inbound sanitization, the encrypted-secrets-store silent data-loss path, the concurrent-appendAuditrace, the GDPRpurge()FK failure, idempotency-replay scope bypass, and per-IP rate-limit spoofing. - Fail-loud over silent corruption: secrets/audit write paths, provider retry + fallback on network errors, and four trigger-scheduler bugs (spurious catch-up, interval double-fire, error-death, long-horizon
setTimeoutoverflow).
Completed core mechanisms
- Durable HITL resume now executes an approved tool exactly once; workflow crash-recovery + frontier persistence;
ContextEngine.assemble(), guardrails, structuredoutputType, and the previously-inertAgentConfigfields are wired or removed. - Memory: tokenized FTS recall, honest metadata counts, server-wired background consolidation, real sliding-window cost budgets, and a quarantine promotion path.
- Streaming server end-to-end (SSE / WebSocket), config-driven storage encryption, provider request timeouts + JSON-mode, and the Vercel AI SDK v7 chunk shapes.
SOTA adopts (eval-gated)
- Compaction clearing-tier with recoverable
read_resulthandles + reclaim-floor and Errors/Next-steps summary sections; the FIDES data-flow lattice; prompt-cache-aware tool catalogue with worked tool-use examples and end-to-end structured output; step-journal exactly-once resume; OpenTelemetry GenAI span mapping.
Hardening & honesty (wave 4)
- Obfuscation-resistant taint detection, opt-in deny-wins supply-chain precedence, audit-prune + 1Password-CLI-timeout fixes, all-occurrence / cross-delta redaction, a cross-embedder entity-resolution guard, revived no-network guard coverage, and a documented security Known limitations section.
0.4.0 - 2026-05-26
The memory program (P0-1 … P2-2) - a research-grade rebuild of @graphorin/memory.
Added
- Temporal memory - bitemporal
as_ofreads and afact_historytool (migration 013). - Injection defense - provenance + quarantine on extracted facts, an agent-callable
fact_validatepromotion gate, and offline injection heuristics. - Consolidation - neighbour-aware extract→reconcile, auto-importance + episode formation, and deep-phase reflection that synthesises read-only insights (migration 014).
- Retrieval - contextual retrieval with late-chunking (default), query transformation (multi-query / RAG-Fusion + opt-in HyDE), weighted/convex fusion, an in-SQLite entity graph with one-hop expansion (migrations 015-016), agentic/iterative retrieval (
deep_recall), and procedural memory induction (migration 017). - Hygiene - multi-signal forgetting / capacity-bounded eviction, and recall introspection (
graphorin memory inspect/activity). - An offline-first eval harness (
@graphorin/evals) with LongMemEval / LOCOMO loaders.
0.3.0 - 2026-05-24
Tools & harness end-to-end (WI-01 … WI-13).
Added
- Defer-loading tool catalogue - large tool sets are summarised; full schemas load on demand through a Tool Search seam.
- Spill-to-handle results - oversized tool outputs spill to a handle re-fetchable via
read_result, bounding context growth. - Code-mode execution - the model can drive tools through a sandboxed code API instead of one call per step.
- Deterministic dataflow / taint policy - opt-in
dataFlowPolicy: 'shadow' | 'enforce'gates untrusted-to-sink flows and the lethal trifecta atexecuteOne. - MCP surface completion -
resource_link→ handles, gated elicitation / sampling hooks, and composable result readers.
0.2.0 - 2026-05-21
A hardening / quick-wins maintenance release driven by an internal action-item audit: dependency and supply-chain hygiene, CI tightening, and assorted correctness fixes across the runtime and tooling.
0.1.0 - 2026-05-09
The first tagged version of the Graphorin framework. All @graphorin/* packages are versioned together at 0.1.0 (lockstep on the 0.x line).
Added
Runtime, memory, workflow
@graphorin/agent- agent runtime with streaming events, steering / follow-up queues,prepareStephook, HITL durable resume, multi-agent handoffs (Agent.toTool({ secretsInheritance })), composable stop conditions, fan-out + evaluator-optimizer loops, structured-handoff artifacts.@graphorin/memory- six-tier memory: working / session / episodic / semantic (bi-temporal default-on) / procedural / shared. Multi-stage conflict resolution (exact dedup → embedding three-zone → heuristic regex → subject/predicate). Hybrid search with Reciprocal Rank Fusion default. Memory-aware system prompt with built-in English locale pack and a pluggable per-locale extension point. Background consolidator withlight+standard+ minimum-viabledeepphases, mandatory noise filter, lock-then-defer policy, idempotency cursor, dead-letter queue, and a defaulttier: 'free'cost budget.@graphorin/workflow- durable step-graph runtime with a synchronous-step model, in-memory channels (LatestValue,Reducer,Stream,Barrier,Ephemeral,AnyValue,ListAggregate),pause(HITL) /resume, four stream modes (values/updates/tasks/debug),DirectiveandDispatchprimitives.@graphorin/sessions- hybrid session facade with the agent registry, handoff records, JSONL export schema 1.0, and replay reconstruction. Session messages are owned by@graphorin/memory(single source of truth, DEC-147).
External surface
@graphorin/tools- typed tool registry, parallel execution,needsApprovalflow, sandboxed execution, four-strategy result truncation pipeline, streaming-tool execution surface, built-intool_searchlookup tool.@graphorin/skills- Anthropic Agent Skills format compatible loader withgraphorin-*namespaced extensions; ed25519 signature verification on install (DEC-140 / ADR-034); slash commands (/skill:name); progressive-disclosure activation; sandbox-tier-aware execution.@graphorin/mcp- Model Context Protocol client (stdio + Streamable HTTP + legacy SSE); typedMCPClient;toTools()adapter with inbound prompt-injection sanitization, deferred-loading auto-default, structured-content + outputSchema round-trip, per-server priority and collision strategy; pluggableEventStorefor resumable sessions; OAuth bridge backed by@graphorin/security/oauth.
Persistence + provider
@graphorin/store-sqlite- default storage adapter on top ofbetter-sqlite3@^12.9.0+sqlite-vec@~0.1.9+ FTS5 withunicode61 remove_diacritics 2 tokenchars '-_.@/'. WAL hardening pragmas, WorkerPool wrapper for the standalone server.@graphorin/embedder-transformersjs- default in-process embedder (Xenova/multilingual-e5-base, multilingual). WebGPU when available.@graphorin/embedder-ollama- first-class opt-in alternative against an Ollama daemon (nomic-embed-textdefault, multi-model support).@graphorin/triggers- cron / interval / idle / event triggers; same code path in library and standalone-server modes (DEC-150).@graphorin/provider- vendor-neutralProviderinterface; defaultvercelAdapterwrapping the Vercel AI SDK (v7 beta);ollamaAdapter,llamaCppServerAdapter, andopenAICompatibleAdapterfor local LLMs; sharedLocalProviderTrustclassifier; provider middleware composer with enforced ordering (DEC-145 / ADR-039) -withRedactionis mandatory innermost.@graphorin/provider-llamacpp-node- companion package for in-process GGUF execution vianode-llama-cpp@^3.5.
Cross-cutting infrastructure
@graphorin/security-SecretValuewrapper end-to-end with leakage barriers;SecretRefURI scheme (env:/keyring:/file:/encrypted-file:/op:///vault:///ref:);KeyringSecretsStoredefault via@napi-rs/keyring; sandbox tiers (worker-threadsdefault +docker+isolated-vm+none); memory-modification guard (xxhash-fingerprint hash chain); HMAC-SHA256 + pepper server-token auth (DEC-122 / ADR-027); encryptedaudit.dbwith SHA-256 hash chain; OAuth flows viaopenid-client@^6.x; ed25519 skill-signature verifier; process hardening (umask, refuse-root, file-mode policy).@graphorin/observability- OpenTelemetry tracer with GenAI Semantic Conventions; typedAISpan<SpanType>;ConsoleExporter/JSONLExporter/OTLPHttpExporterwith mandatoryRedactionValidator(default-deny non-public, DEC-141 / ADR-035). Eval interfaces only; the full eval framework ships in@graphorin/evals.@graphorin/pricing- separate package; bundled@pydantic/genai-pricessnapshot;graphorin pricing refreshopt-in (never invoked automatically).
Standalone runtime
@graphorin/server- optional REST + WebSocket + SSE runtime built on Hono. RESTIdempotency-Keyper IETF draft-07 (DEC-142 / ADR-036), durable HITL across process restarts, lifecycle hooks, triggers daemon, consolidator daemon, replay endpoints,/v1/health/v1/metrics(Prometheus, opt-in auth), audit verify endpoint.
@graphorin/cli- operator CLI binary (graphorin start | init | migrate | doctor | token | secrets | storage | audit | memory | consolidator | triggers | auth | pricing | skills | traces | migrate-export | guard | telemetry).@graphorin/protocol- browser-friendly schemas for the WebSocket protocol contractgraphorin.protocol.v1(DEC-127 / ADR-031).@graphorin/client- browser-friendly TypeScript client for the standalone server.
Optional sub-packs
@graphorin/store-sqlite-encrypted- SQLCipher v4 encryption-at-rest viabetter-sqlite3-multiple-ciphers@^12.9.0(DEC-129 / ADR-030). Required for the always-encryptedaudit.dbon fresh installations.@graphorin/secret-1password- referenceSecretResolverforop://URIs through the 1Password CLI.@graphorin/reranker-transformersjs- pluggable cross-encoder reranker on top of@huggingface/transformers.@graphorin/reranker-llm- pluggable LLM-judge reranker.@graphorin/eslint-plugin- ESLint rules for projects that build on Graphorin (no-secret-unwrap,no-secret-in-deps,provider-middleware-order,no-implicit-network-call,no-third-party-workflow-aliases,no-bare-tool-exec, tool-discovery surface).@graphorin/evals- full evaluation framework (scorers, datasets, runner, reporters; decoupled from@graphorin/observabilityper RB-17 / DEC-152).
Privacy and security baselines
- Zero default telemetry (DEC-154 / ADR-041). The framework generates no outbound network call you did not initiate. The CI workflow
check-no-network.ymlenforces this against the source tree on every push and pull request. - Sigstore build provenance on every published package (
publishConfig.provenance: true+npm provenanceon the GitHub Actions release workflow). - Pre-launch security audit completed against the project's STRIDE threat model and the OWASP LLM Top 10 (2025): 0 Critical, 0 High findings; Medium / Low findings documented with v0.2 owners.
Examples
The repository ships eight example apps:
personal-assistant-cli- single-agent local CLI (library mode, hello-world target).slack-bot-integration- server mode + WebSocket + durable HITL approvals across server restart.background-consolidator- server mode + cron triggers + light / standard consolidator phases.multi-agent-crew- supervisor + 2 worker agents (RB-33 acceptance scenario).approval-workflow-@graphorin/workflowHITL durable resume viapause()/Directive(resume)across server restart.document-pipeline-@graphorin/workflowDispatch+ parallel nodes + every channel type.three-agent-harness- Planner / Generator / Evaluator harness with structured-handoff artifacts;Agent.fanOut(...)+evaluatorOptimizer(...)(RB-50 reference).local-stack-cli- fully local stack (Ollama LLM + Ollama embeddings + SQLite + sqlite-vec, no cloud calls).
Distribution templates: docker/, k8s/, systemd/, github-actions/.
Benchmarks
benchmarks/locomo- LoCoMo benchmark runner (10 conversations, 200 questions); per-question accuracy + per-conversation aggregates- cost summary.
benchmarks/locomo-multilingual- community-contribution hooks for per-locale subsets.benchmarks/dialogue-smoke- dialogue smoke test (wiring check; not the published DialSim benchmark).benchmarks/memory-sim- synthetic-dialogue memory simulator.benchmarks/latency- p50 / p95 FTS memory-search latency probe.benchmarks/cost- per-conversation token-cost regression suite (CI budget assertion, must not increase > 10 % between runs).
Documentation
- Per-package
README.mdcovers the public surface, configuration, and dependency footprint. SECURITY.mddocuments the disclosure process, supported versions, cryptographic baselines, and the privacy promise.CONTRIBUTING.mdcovers the development workflow, conventions, and commit format.CODE_OF_CONDUCT.mdreproduces the unmodified Contributor Covenant v2.1 text.THIRD_PARTY_NOTICES.mdlists every runtime, optional, and build-time dependency with its license and the role it plays in Graphorin.
Hello-world target
A 20-line script that creates a memory-backed agent, streams tokens, persists facts to local SQLite via local transformers.js embeddings, survives process restart for HITL approvals when run via graphorin start, and emits OpenTelemetry spans (file or console exporter). The example lives in examples/personal-assistant-cli/.