v0.2.0-rc.2 — scope core under @mandarnilange + npm audit fix

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -45,8 +45,8 @@ body:
     attributes:
       label: Which package?
       options:
-        - agentforge-core (framework)
-        - agentforge (platform)
+        - "@mandarnilange/agentforge-core (framework)"
+        - "@mandarnilange/agentforge (platform)"
         - both / unsure
         - docker image
     validations:

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -41,8 +41,8 @@ body:
     attributes:
       label: Which layer?
       options:
-        - agentforge-core (framework)
-        - agentforge (platform)
+        - "@mandarnilange/agentforge-core (framework)"
+        - "@mandarnilange/agentforge (platform)"
         - dashboard UI
         - templates / docs
         - CI / release / packaging

.github/workflows/release.yml

@@ -1,7 +1,7 @@
 name: Release
 
 # Tag-triggered release pipeline. Push a semver tag (e.g. `v0.2.0`) to
-# publish agentforge-core + agentforge to npm, push Docker images
+# publish @mandarnilange/agentforge-core + @mandarnilange/agentforge to npm, push Docker images
 # to GHCR, and create a GitHub Release with CHANGELOG notes.
 #
 # Prereqs:
@@ -94,7 +94,7 @@ jobs:
       # Root build emits all publishable assets into dist/ BEFORE npm publish runs.
       # packages/*/prepublishOnly also delegates to the root build as a safety net.
       - run: npm run build
-      - name: Publish agentforge-core
+      - name: Publish @mandarnilange/agentforge-core
         working-directory: packages/core
         run: npm publish --access public --provenance
         env:

CHANGELOG.md

@@ -3,6 +3,35 @@
 All notable changes to this project are documented here.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.2.0-rc.2] — Move both packages under `@mandarnilange/*`
+
+The framework package is now published as `@mandarnilange/agentforge-core`
+(was `agentforge-core`), matching the platform package's scope from
+rc.1. Both packages now live under one consistent npm scope, which
+keeps install paths uniform across docs and removes the lingering
+similarity-policy risk on the unscoped name.
+
+CLI binaries are unchanged — `agentforge-core` and `agentforge` keep
+their existing names; only the install paths carry the scope.
+
+The unscoped versions of `agentforge-core` (`0.2.0-rc.0` and
+`0.2.0-rc.1`) are deprecated on npm and direct installs to the new
+scoped name. Anyone who only depends on `@mandarnilange/agentforge`
+gets the new core transparently as a transitive dependency.
+
+This rc.2 also bundles `npm audit` fixes for the
+`fast-xml-parser` XML-injection advisory (moderate, transitive
+via the AWS SDK pulled in by OpenTelemetry exporters). No API
+surface change.
+
+The remaining two `npm audit` warnings are for `uuid <14.0.0` reached
+through `dockerode@4.x` (`@aws-sdk` no longer applies after the fix
+above). The advisory only affects `uuid.v3/v5/v6` when called with a
+pre-allocated `buf` argument; `dockerode` uses `uuid.v4()`, which is
+unaffected, so AgentForge is not exposed. `dockerode@5.x` removes the
+`uuid` dependency entirely — we'll bump to it in v0.3 once
+`@types/dockerode` ships v5 (currently at 4.0.1 on DefinitelyTyped).
+
 ## [0.2.0-rc.1] — Scope the platform package + retag
 
 The platform package is now published as `@mandarnilange/agentforge`

CONTRIBUTING.md

@@ -57,7 +57,7 @@ npx biome check --write .
 
 - **Domain layer** (`packages/core/src/domain/`) has zero external dependencies
 - **Core** must never import from **platform** — dependency flows one way only
-- Platform imports core types via `agentforge-core/...` package imports
+- Platform imports core types via `@mandarnilange/agentforge-core/...` package imports
 - All external concerns are injected through port interfaces
 
 ## Commit Messages

README.md

@@ -1,16 +1,16 @@
 # AgentForge
 
 [![CI](https://github.com/mandarnilange/agentforge/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/mandarnilange/agentforge/actions/workflows/ci.yml)
-[![npm agentforge-core](https://img.shields.io/npm/v/agentforge-core?label=agentforge-core&color=blue)](https://www.npmjs.com/package/agentforge-core)
-[![npm agentforge](https://img.shields.io/npm/v/agentforge?label=agentforge&color=blue)](https://www.npmjs.com/package/agentforge)
+[![npm @mandarnilange/agentforge-core](https://img.shields.io/npm/v/@mandarnilange/agentforge-core?label=%40mandarnilange%2Fagentforge-core&color=blue)](https://www.npmjs.com/package/@mandarnilange/agentforge-core)
+[![npm @mandarnilange/agentforge](https://img.shields.io/npm/v/@mandarnilange/agentforge?label=%40mandarnilange%2Fagentforge&color=blue)](https://www.npmjs.com/package/@mandarnilange/agentforge)
 [![License: MIT](https://img.shields.io/github/license/mandarnilange/agentforge?color=green)](LICENSE)
-[![Node ≥20](https://img.shields.io/node/v/agentforge-core?color=brightgreen)](package.json)
+[![Node ≥20](https://img.shields.io/node/v/@mandarnilange/agentforge-core?color=brightgreen)](package.json)
 
 **Kubernetes for AI agent workflows.** Declarative agent orchestration in YAML, with approval gates, artifact validation, and a real observability story.
 
 AgentForge lets engineering teams define agents and pipelines the way Kubernetes lets them define pods and deployments — and then handles the execution, state, and scheduling underneath. Ships with a reference SDLC template so you can see an end-to-end pipeline running in minutes. The framework is domain-agnostic: point it at code review, content generation, ops runbooks, data pipelines — anything where multiple LLM calls need to be coordinated with humans in the loop.
 
-> **Status:** v0.2.0 release candidate (`v0.2.0-rc.1`) — early-feedback build. API surface is stabilising but may still shift; `npm install @mandarnilange/agentforge` pulls the RC. Please [open an issue](https://github.com/mandarnilange/agentforge/issues) for anything that looks rough, or use [Discussions](https://github.com/mandarnilange/agentforge/discussions) for usage questions.
+> **Status:** v0.2.0 release candidate (`v0.2.0-rc.2`) — early-feedback build. API surface is stabilising but may still shift; `npm install @mandarnilange/agentforge` pulls the RC. Please [open an issue](https://github.com/mandarnilange/agentforge/issues) for anything that looks rough, or use [Discussions](https://github.com/mandarnilange/agentforge/discussions) for usage questions.
 
 ---
 
@@ -343,13 +343,13 @@ Deeper dive on step pipelines, template variables, and loop semantics: [`docs/ar
 
 ---
 
-## `agentforge` vs `agentforge-core`
+## `@mandarnilange/agentforge` vs `@mandarnilange/agentforge-core`
 
 Two npm packages ship from this repo. Pick based on your target environment.
 
-| | **`agentforge-core`** | **`@mandarnilange/agentforge`** (platform) |
+| | **`@mandarnilange/agentforge-core`** | **`@mandarnilange/agentforge`** (platform) |
 |---|---|---|
-| **Install** | `npm install agentforge-core` | `npm install @mandarnilange/agentforge` (pulls in core) |
+| **Install** | `npm install @mandarnilange/agentforge-core` | `npm install @mandarnilange/agentforge` (pulls in core) |
 | **Binary** | `agentforge-core` | `agentforge` |
 | **Intended for** | Local dev, evaluation, library embed | Production, teams, multi-host |
 | **LLM providers** | Anthropic | Anthropic + OpenAI + Gemini + Ollama |
@@ -363,7 +363,7 @@ Two npm packages ship from this repo. Pick based on your target environment.
 | **Multi-host deploy** | — | Control-plane + worker Docker Compose files |
 | **Docker image** | `ghcr.io/mandarnilange/agentforge-core` (~289 MB) | `ghcr.io/mandarnilange/agentforge-platform` (~336 MB) |
 
-**Rule of thumb:** start with `agentforge-core` if you want the smallest surface for experimentation or you're embedding AgentForge inside your own CLI. Otherwise install `agentforge` — defaults are identical for local dev (SQLite, local executor, Anthropic), and every production feature is available the day you need it. *You won't have to migrate.*
+**Rule of thumb:** start with `@mandarnilange/agentforge-core` if you want the smallest surface for experimentation or you're embedding AgentForge inside your own CLI. Otherwise install `@mandarnilange/agentforge` — defaults are identical for local dev (SQLite, local executor, Anthropic), and every production feature is available the day you need it. *You won't have to migrate.*
 
 Multi-provider setup (OpenAI, Gemini, Ollama): [`docs/multi-provider.md`](docs/multi-provider.md).
 
@@ -624,12 +624,12 @@ Everything is MIT-licensed. Contributions land under the same licence.
 
 ---
 
-## Using just the framework (`agentforge-core`)
+## Using just the framework (`@mandarnilange/agentforge-core`)
 
-If you're embedding the engine into your own CLI or service — or you want the framework without the platform binary, multi-provider middleware, or Postgres — install `agentforge-core` directly:
+If you're embedding the engine into your own CLI or service — or you want the framework without the platform binary, multi-provider middleware, or Postgres — install `@mandarnilange/agentforge-core` directly:
 
 ```bash
-npm install agentforge-core
+npm install @mandarnilange/agentforge-core
 npx agentforge-core init --template simple-sdlc
 ```
 

ROADMAP.md

@@ -14,7 +14,7 @@ Context for anyone skimming the roadmap — these pieces are already live:
 - Step pipeline engine with `llm` / `script` / `validate` / `transform` steps, plus `parallel` and `loop` constructs.
 - Approval gates between phases with a full audit trail.
 - Typed artifacts with 45 built-in schemas; Zod + JSON Schema validation.
-- SQLite state store (`agentforge-core`) and PostgreSQL (`agentforge`).
+- SQLite state store (`@mandarnilange/agentforge-core`) and PostgreSQL (`@mandarnilange/agentforge`).
 - Local, Docker, and remote HTTP executors.
 - Multi-provider LLMs — Anthropic, OpenAI, Gemini, Ollama. Mixed per-agent.
 - OpenTelemetry instrumentation (API-only in core; full SDK + Jaeger export in platform).
@@ -53,7 +53,7 @@ spec:
 
 ### OpenCode execution backend
 
-**Problem.** `agentforge-core` ships with `@mariozechner/pi-coding-agent` as the only coding runtime. The `IExecutionBackend` port exists so others can plug in, but no adapter has been written yet. OpenCode is a strong candidate — actively developed, TypeScript, similar tool surface.
+**Problem.** `@mandarnilange/agentforge-core` ships with `@mariozechner/pi-coding-agent` as the only coding runtime. The `IExecutionBackend` port exists so others can plug in, but no adapter has been written yet. OpenCode is a strong candidate — actively developed, TypeScript, similar tool surface.
 
 **Proposal.** New `OpenCodeExecutionBackend` in the platform package. Accepts an `AgentJob`, delegates to OpenCode's CLI or SDK, forwards status updates back via the `onStatus` callback, returns an `AgentJobResult`. Config via agent YAML `executor: opencode`.
 

SECURITY.md

@@ -40,8 +40,8 @@ In scope:
   Docker / remote executors
 - Code injection via YAML definitions, pipeline inputs, or the
   dashboard API
-- Supply-chain concerns in the npm packages (`agentforge-core`,
-  `agentforge`) or the GHCR container images
+- Supply-chain concerns in the npm packages (`@mandarnilange/agentforge-core`,
+  `@mandarnilange/agentforge`) or the GHCR container images
 
 Out of scope:
 
@@ -52,6 +52,17 @@ Out of scope:
 - Security issues in `pi-coding-agent` or `pi-ai` upstream — open
   an issue on their respective repositories
 
+## Known transitive advisories
+
+`npm audit` currently flags `uuid <14.0.0` (GHSA-w5hq-g745-h8pq,
+moderate) reached via `dockerode@4.x`. The advisory is specific to
+`uuid.v3/v5/v6` when called with a caller-supplied `buf` argument;
+`dockerode` only uses `uuid.v4()`, which is **not** affected.
+AgentForge has no direct dependency on `uuid` and does not invoke the
+vulnerable code path. The fix lands in v0.3 with `dockerode@5.x`
+(which drops the `uuid` dependency entirely) once
+`@types/dockerode@5` is published.
+
 ## Safe harbour
 
 Good-faith security research is welcome. We will not pursue legal

docs/getting-started.md

@@ -22,7 +22,7 @@
 ## 1. Quick Start
 
 ```bash
-# Install from npm (pulls in agentforge-core transitively)
+# Install from npm (pulls in @mandarnilange/agentforge-core transitively)
 npm install @mandarnilange/agentforge
 
 # Set your API key — grab one from https://console.anthropic.com/settings/keys
@@ -62,14 +62,14 @@ npx agentforge run --project my-saas --input "brief=Build a SaaS invoicing platf
 npm install @mandarnilange/agentforge
 ```
 
-`@mandarnilange/agentforge` depends on `agentforge-core`, so a single install gives you both. Defaults (SQLite, local executor, Anthropic) work with zero extra configuration.
+`@mandarnilange/agentforge` depends on `@mandarnilange/agentforge-core`, so a single install gives you both. Defaults (SQLite, local executor, Anthropic) work with zero extra configuration.
 
-> The package is scoped because the unscoped `agentforge` name conflicts with another npm package (`agent-forge`) under npm's similarity policy. The CLI binary is still `agentforge` — only the install path is scoped.
+> Both packages are scoped under `@mandarnilange/*`. The CLI binaries — `agentforge` (platform) and `agentforge-core` (core only) — are unchanged; only the install paths carry the scope.
 
 If you want the framework primitives without the platform binary or the multi-provider / Postgres / Docker executor extras, install core directly:
 
 ```bash
-npm install agentforge-core
+npm install @mandarnilange/agentforge-core
 ```
 
 ### From source

docs/multi-provider.md

@@ -2,7 +2,7 @@
 
 > Part of the [AgentForge documentation](README.md).
 
-AgentForge supports multiple LLM providers via the `agentforge` package. Core (`agentforge-core`) stays Anthropic-only; platform adds provider-aware middleware for OpenAI, Google Gemini, and Ollama.
+AgentForge supports multiple LLM providers via the `@mandarnilange/agentforge` package. Core (`@mandarnilange/agentforge-core`) stays Anthropic-only; platform adds provider-aware middleware for OpenAI, Google Gemini, and Ollama.
 
 ## Key Concept: Executor vs Provider
 

docs/templates.md

@@ -25,7 +25,7 @@ agentforge templates list
 
 ## simple-sdlc
 
-**Package**: `agentforge-core` — available without platform
+**Package**: `@mandarnilange/agentforge-core` — available without platform
 
 Lightweight 3-agent SDLC pipeline. Takes a project brief, produces requirements, an architecture plan, and generated code.
 

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "agentforge-monorepo",
-	"version": "0.2.0-rc.1",
+	"version": "0.2.0-rc.2",
 	"private": true,
 	"description": "AgentForge — Kubernetes for AI agent workflows",
 	"type": "module",