njfio · njfio · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -55,4 +55,4 @@ ENV OPENSSL_DIR=/usr \
     CC=gcc
 
 # Set the working directory
-WORKDIR /workspace
+WORKDIR /workspace
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -70,4 +70,4 @@
       ]
     }
   }
-}
+}
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,3 @@
+
+# Use bd merge for beads JSONL files
+.beads/issues.jsonl merge=beads
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -16,20 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install latest stable
-        uses: actions-rs/toolchain@v2
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
         with:
-          toolchain: stable
-          override: true
-      - name: Cargo cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ./target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          cache-on-failure: true
+      - name: Build (required for E2E tests)
+        run: cargo build
       - name: Run tests
-        run: cargo test --verbose --target x86_64-unknown-linux-gnu
+        run: cargo test --verbose
 
   build:
     strategy:
@@ -52,31 +46,19 @@ jobs:
       OS: ${{ matrix.OS }}
     steps:
       - uses: actions/checkout@v4
-      - name: Install latest stable
-        uses: actions-rs/toolchain@v2
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          target: ${{ matrix.TARGET }}
-          override: true
-      - name: Cargo cache
-        uses: actions/cache@v4
+          targets: ${{ matrix.TARGET }}
+      - uses: Swatinem/rust-cache@v2
         with:
-          path: |
-            ~/.cargo/registry
-            ./target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - name: Clear cargo cache
-        if: ${{ failure() }}
-        run: |
-          cargo clean
-          rm -rf ~/.cargo/registry
+          cache-on-failure: true
       - name: Install and configure dependencies
         run: |
           if [[ $OS =~ ^ubuntu.*$ ]]; then
             sudo apt-get update
             sudo apt-get install -qq crossbuild-essential-arm64 crossbuild-essential-armhf
           fi
-      
+
       - name: Add musl target
         if: ${{ matrix.TARGET == 'x86_64-unknown-linux-musl' }}
         run: sudo apt-get update && sudo apt-get install -y musl-dev musl-tools
@@ -122,44 +104,40 @@ jobs:
           files: ./artifacts/*.tar.gz
 
   fmt:
+    name: Format Check
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install latest stable
-        uses: actions-rs/toolchain@v2
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          override: true
           components: rustfmt
-      - name: cargo fmt --check
+      - name: Check formatting
         run: cargo fmt --all -- --check
 
   clippy:
+    name: Lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install latest stable
-        uses: actions-rs/toolchain@v2
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          override: true
           components: clippy
-      - name: cargo clippy (deny warnings)
-        run: cargo clippy --all-targets --all-features -D warnings
+      - uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+      - name: Run clippy
+        run: cargo clippy --all-targets -- -W clippy::all
 
   audit:
     runs-on: ubuntu-latest
+    continue-on-error: true  # Don't block PRs on audit failures
     steps:
       - uses: actions/checkout@v4
-      - name: Install latest stable
-        uses: actions-rs/toolchain@v2
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
         with:
-          toolchain: stable
-          override: true
+          cache-on-failure: true
       - name: Install cargo-audit
-        run: |
-          if ! command -v cargo-audit >/dev/null 2>&1; then
-            cargo install cargo-audit
-          fi
+        run: cargo install cargo-audit --locked
       - name: cargo audit
-        run: cargo audit
+        run: cargo audit || echo "::warning::Security audit found vulnerabilities - please review"
diff --git a/.gitignore b/.gitignore
@@ -102,3 +102,15 @@ fluent_cache*
 enhanced_reflection_profiling_report.txt
 reasoning_engine_profiling_report.txt
 key_safe.txt
+
+# Agent output directories (generated games, research, etc.)
+outputs/
+agent_state/
+fluent_persistence/
+test_temp/
+
+# Test/research artifacts generated by agent
+*_research.md
+*_research.txt
+*_strategy_research.md
+*research_output*
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -0,0 +1,5 @@
+{
+  "MD013": false,
+  "MD033": false,
+  "MD041": false
+}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,21 +1,49 @@
+# Pre-commit hooks for fluent_cli
+# Install: pip install pre-commit && pre-commit install
+# Run manually: pre-commit run -a
+
 repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
-    hooks:
-      - id: check-yaml
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
+  # Rust formatting
   - repo: local
     hooks:
-      - id: rustfmt
-        name: rustfmt
+      - id: cargo-fmt
+        name: cargo fmt
         entry: cargo fmt --all --
         language: system
         types: [rust]
         pass_filenames: false
-      - id: clippy
-        name: clippy
-        entry: cargo clippy --all-targets
+
+  # Rust linting
+  - repo: local
+    hooks:
+      - id: cargo-clippy
+        name: cargo clippy
+        entry: cargo clippy --all-targets -- -D warnings
         language: system
         types: [rust]
         pass_filenames: false
+
+  # YAML validation
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: ['--maxkb=500']
+
+  # TOML validation
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-toml
+
+  # Markdown linting (optional)
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.38.0
+    hooks:
+      - id: markdownlint
+        args: [--fix, --disable, MD013, MD033, MD041]
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -107,7 +107,7 @@ The project uses a Cargo workspace with multiple crates providing modular functi
 
 - **fluent-core**: Shared utilities, configuration management, traits, and types. Provides base abstractions like `Engine` trait, `Request`/`Response` types, error handling, Neo4j client, and centralized configuration.
 
-- **fluent-engines**: Multi-provider LLM implementations (OpenAI, Anthropic, Google, Cohere, Mistral, etc.). Includes pipeline executor, streaming support, connection pooling, caching, and plugin system.
+- **fluent-engines**: Multi-provider LLM implementations (OpenAI, Anthropic, Google, Cohere, Mistral, etc.). Includes pipeline executor, streaming support, connection pooling, and caching. **Note**: Plugin system code exists but is disabled (see Plugin System section below).
 
 - **fluent-storage**: Persistent storage layer with vector database support, embeddings, and memory storage backends.
 
@@ -174,6 +174,59 @@ Comprehensive tool framework in `fluent-agent/src/tools/`:
 - Example demonstrations in `examples/`
 - Test data fixtures in `tests/data/`
 
+### Plugin System Status
+
+**IMPORTANT: The plugin system is DISABLED and not available in production builds.**
+
+#### Why Plugins Are Disabled
+
+The codebase contains a complete secure plugin architecture in `crates/fluent-engines/src/plugin.rs` and `secure_plugin_system.rs`, but it is intentionally disabled for the following reasons:
+
+1. **WASM Runtime Not Included**
+   - Requires wasmtime or wasmer (~10-15MB binary size increase)
+   - `wasm-runtime` feature flag is disabled by default
+   - WASM execution layer is not implemented (returns error)
+
+2. **Security Infrastructure Requirements**
+   - Requires PKI setup for Ed25519 signature verification
+   - No trusted plugin registry or distribution mechanism
+   - Needs comprehensive security audit before production use
+   - Supply chain attack risks from untrusted plugins
+
+3. **Maintenance and Support Burden**
+   - Plugin API stability guarantees required
+   - Ongoing security updates and patches needed
+   - Support burden for third-party plugin developers
+
+#### What's Implemented (But Disabled)
+
+The secure plugin system includes:
+- ✅ Complete plugin manifest system with capabilities and permissions
+- ✅ Cryptographic signature verification (Ed25519)
+- ✅ Resource limits and quotas (memory, CPU, network)
+- ✅ Capability-based security model
+- ✅ Comprehensive audit logging
+- ✅ Plugin CLI management tool (`plugin_cli.rs`)
+- ⚠️ WASM runtime execution (architecture ready, but not implemented)
+
+#### Alternatives to Plugins
+
+Instead of plugins, use:
+1. **Built-in engines**: OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Groq, Perplexity, StabilityAI, Leonardo AI, DALL-E
+2. **Webhook engine**: Proxy requests to custom external services
+3. **Fork and add**: Submit a PR to add your engine as a built-in type
+4. **Langflow/Flowise**: Use these chain engines for custom workflows
+
+#### Enabling for Development (Not Recommended)
+
+If you need to enable plugins for development/testing:
+1. Add WASM runtime to `crates/fluent-engines/Cargo.toml`
+2. Implement WASM execution in `SecurePluginEngine::execute()`
+3. Set up Ed25519 key infrastructure
+4. Build with `cargo build --features wasm-runtime`
+
+See detailed documentation in `crates/fluent-engines/src/plugin.rs` module docs.
+
 ## Important Notes
 
 1. **API Keys**: Always use environment variables for API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.). Never commit credentials.
@@ -194,4 +247,4 @@ Comprehensive tool framework in `fluent-agent/src/tools/`:
 
 7. **Request IDs**: All operations generate unique request IDs for tracing and debugging. Look for `request_id` in JSON logs or structured output.
 
-8. **Config Schema**: The `EnhancedEngineConfig` JSON Schema can be generated with `fluent schema` or via the `fluent-config` binary for validation and documentation.
+8. **Config Schema**: The `EnhancedEngineConfig` JSON Schema can be generated with `fluent schema` or via the `fluent-config` binary for validation and documentation.
diff --git a/CODEBASE_TODO.md b/CODEBASE_TODO.md
@@ -156,4 +156,4 @@ Acceptance Criteria (Definition of Done)
 - cargo test passes locally with networked tests gated behind a feature/env
 - cargo clippy shows no new warnings; cargo fmt has no diffs
 - CI runs lint, build, and tests across OS/targets; artifacts produced for release targets
-- README and docs reflect current behavior precisely; examples succeed or exit gracefully with clear guidance
+- README and docs reflect current behavior precisely; examples succeed or exit gracefully with clear guidance
-Original file line number
+Diff line change
@@ Expand Up / @@ -70,4 +70,4 @@ @@
           ]
         }
       }
-    }
+    }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@

		# Use bd merge for beads JSONL files
		.beads/issues.jsonl merge=beads