@0dai-dev/cli 4.3.4 → 4.3.6

package/lib/utils/activation_telemetry.js

@@ -0,0 +1,378 @@
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// ---------------------------------------------------------------------------
+// Cohort detection
+// ---------------------------------------------------------------------------
+
+// Slug fragments that identify the 0dai self-build (dogfood) repo.
+// Any project whose scrubbed remote origin contains one of these strings is
+// classified as "dogfood". Everything else is "external".
+// Limitation (honest): until real external users exist, the "external" bucket
+// will be empty — local-only repos (no remote) also default to "dogfood"
+// because there is no reliable signal to distinguish them from the self-build.
+const DOGFOOD_ORIGIN_FRAGMENTS = ["iGeezmo/0dai", "0dai-dev/0dai", "0dai/0dai"];
+
+/**
+ * Classify the repo at `target` as "dogfood" or "external".
+ *
+ * Heuristic: if the git remote.origin.url (scrubbed of credentials) contains
+ * a known 0dai repo slug, the cohort is "dogfood". Otherwise "external".
+ * Falls back to "dogfood" when no remote is present (local-only repos).
+ *
+ * Honesty caveat: this is a name-match heuristic, not cryptographic identity.
+ * It will mis-classify a fork that still has the upstream remote as dogfood.
+ * It defaults to "dogfood" for local-only repos, so it NEVER over-counts
+ * external activations — it may under-count them.
+ *
+ * @param {string} target - absolute path to the repo root
+ * @returns {"dogfood"|"external"}
+ */
+function detectCohort(target) {
+  try {
+    const { execFileSync } = require("child_process");
+    const rawUrl = execFileSync(
+      "git", ["config", "--get", "remote.origin.url"],
+      { cwd: target, stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 3000 },
+    ).trim();
+    if (!rawUrl) return "dogfood";
+    // Scrub credentials (https://user:token@host → https://host)
+    const url = rawUrl.replace(/^(https?:\/\/)[^@/\s]+@/, "$1");
+    for (const frag of DOGFOOD_ORIGIN_FRAGMENTS) {
+      if (url.includes(frag)) return "dogfood";
+    }
+    return "external";
+  } catch {
+    // No git, no remote, or git error → safe fallback
+    return "dogfood";
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Merged-PR detection via git log
+// ---------------------------------------------------------------------------
+
+/**
+ * Detect the timestamp of the earliest merge commit in the repo's local history.
+ * Looks for commits that git identifies as merge commits (two+ parents), which
+ * covers both GitHub squash+merge and traditional merge strategies.
+ *
+ * Returns ISO timestamp of the earliest such commit, or null if none found.
+ *
+ * Limitation: reads only local history — will miss PRs merged on the remote
+ * before the repo was cloned if those commits were not fetched. That is
+ * acceptable: we record the first merge *experienced* in this checkout.
+ *
+ * @param {string} target - absolute path to the repo root
+ * @returns {string|null} ISO timestamp or null
+ */
+function detectFirstMergedPrTs(target) {
+  try {
+    const { execFileSync } = require("child_process");
+    // --merges selects only merge commits; --reverse gives oldest first; -1 takes the first
+    const out = execFileSync(
+      "git",
+      ["log", "--all", "--merges", "--format=%aI\t%s", "--reverse", "--max-count=1"],
+      { cwd: target, stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 5000 },
+    ).trim();
+    if (!out) return null;
+    const tab = out.indexOf("\t");
+    if (tab < 0) return null;
+    const ts = out.slice(0, tab).trim();
+    return ts || null;
+  } catch {
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Core helpers
+// ---------------------------------------------------------------------------
+
+function activationPath(target) {
+  return path.join(target, "ai", "meta", "telemetry", "activation.jsonl");
+}
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function ensureDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+
+function readEvents(target) {
+  const file = activationPath(target);
+  if (!fs.existsSync(file)) return [];
+  const lines = fs.readFileSync(file, "utf8").trim().split("\n").filter(Boolean);
+  const events = [];
+  for (const ln of lines) {
+    try {
+      const row = JSON.parse(ln);
+      if (row && row.event) events.push(row);
+    } catch { /* ignore malformed lines */ }
+  }
+  return events;
+}
+
+function appendEvent(target, entry) {
+  const file = activationPath(target);
+  try {
+    ensureDir(file);
+    fs.appendFileSync(file, JSON.stringify(entry) + "\n", "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function hasEvent(events, eventName, projectId) {
+  return events.some((e) => e.event === eventName && e.project_id === projectId);
+}
+
+function findInitTs(events, projectId) {
+  const init = events.find((e) => e.event === "init" && e.project_id === projectId);
+  return init && init.ts ? init.ts : null;
+}
+
+function parseTs(ts) {
+  const ms = Date.parse(ts);
+  return Number.isFinite(ms) ? ms : null;
+}
+
+// ---------------------------------------------------------------------------
+// Recorders
+// ---------------------------------------------------------------------------
+
+// Idempotently append init telemetry on successful init.
+function recordActivationInit(target, projectId, metadata = {}) {
+  try {
+    if (!projectId) return { fired: false };
+    const events = readEvents(target);
+    if (hasEvent(events, "init", projectId)) return { fired: false };
+    const cohort = detectCohort(target);
+    const stack = metadata.stack_detected || metadata.stack || "unknown";
+    const entry = {
+      event: "init",
+      ts: nowIso(),
+      project_id: projectId,
+      repo_fingerprint_hash: projectId,
+      stack_detected: stack,
+      cohort,
+    };
+    return { fired: appendEvent(target, entry) };
+  } catch {
+    return { fired: false };
+  }
+}
+
+// Idempotently append first_task with duration_ms = first_task.ts - init.ts.
+function recordActivationFirstTask(target, projectId, metadata = {}) {
+  try {
+    if (!projectId) return { fired: false, durationMs: null };
+    const events = readEvents(target);
+    if (hasEvent(events, "first_task", projectId)) {
+      return { fired: false, durationMs: null };
+    }
+
+    const initTs = findInitTs(events, projectId);
+    const ts = nowIso();
+    let durationMs = null;
+    if (initTs) {
+      const initMs = parseTs(initTs);
+      const taskMs = parseTs(ts);
+      if (initMs != null && taskMs != null) {
+        durationMs = Math.max(0, taskMs - initMs);
+      }
+    }
+
+    const cohort = detectCohort(target);
+    const entry = {
+      event: "first_task",
+      ts,
+      project_id: projectId,
+      duration_ms: durationMs,
+      cohort,
+      outcome: metadata.outcome || "task_queued",
+    };
+    if (Number.isFinite(metadata.task_count)) entry.task_count = metadata.task_count;
+    const fired = appendEvent(target, entry);
+    return { fired, durationMs };
+  } catch {
+    return { fired: false, durationMs: null };
+  }
+}
+
+/**
+ * Idempotently append a `first_merged_pr` activation event.
+ *
+ * This event marks the end-to-end activation funnel: init → first_task →
+ * first_merged_pr. It is what M6 "activation p50 <5min (measured)" needs to
+ * be verifiable end-to-end.
+ *
+ * Detection: inspects `git log --merges` for the earliest merge commit in
+ * the local history. If none exists yet, does nothing (caller should invoke
+ * again after a merge occurs, e.g. from `0dai status` or `0dai ci`).
+ *
+ * Fields emitted:
+ *   - event: "first_merged_pr"
+ *   - ts: ISO timestamp of the first merge commit (reflects when the PR was
+ *     actually merged, not wall-clock detection time)
+ *   - project_id: hashed repo identity (no raw origin stored — privacy-safe)
+ *   - cohort: "dogfood" | "external"
+ *   - duration_ms: ms between init event and the merge timestamp (null if no
+ *     init event found in the local activation.jsonl)
+ *
+ * @param {string} target - absolute path to the repo root
+ * @param {string} projectId - opaque project identifier
+ * @returns {{ fired: boolean, durationMs: number|null }}
+ */
+function recordActivationFirstMergedPR(target, projectId) {
+  try {
+    if (!projectId) return { fired: false, durationMs: null };
+    const events = readEvents(target);
+    if (hasEvent(events, "first_merged_pr", projectId)) {
+      return { fired: false, durationMs: null };
+    }
+
+    const mergeTs = detectFirstMergedPrTs(target);
+    if (!mergeTs) return { fired: false, durationMs: null };
+
+    const initTs = findInitTs(events, projectId);
+    let durationMs = null;
+    if (initTs) {
+      const initMs = parseTs(initTs);
+      const mergeMs = parseTs(mergeTs);
+      if (initMs != null && mergeMs != null) {
+        durationMs = Math.max(0, mergeMs - initMs);
+      }
+    }
+
+    const cohort = detectCohort(target);
+    const entry = {
+      event: "first_merged_pr",
+      ts: mergeTs,
+      project_id: projectId,
+      cohort,
+      duration_ms: durationMs,
+    };
+    const fired = appendEvent(target, entry);
+    return { fired, durationMs };
+  } catch {
+    return { fired: false, durationMs: null };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Stats
+// ---------------------------------------------------------------------------
+
+function percentile(sorted, p) {
+  if (!sorted.length) return null;
+  if (sorted.length === 1) return sorted[0];
+  const idx = (sorted.length - 1) * p;
+  const lo = Math.floor(idx);
+  const hi = Math.ceil(idx);
+  if (lo === hi) return sorted[lo];
+  const weight = idx - lo;
+  return Math.round(sorted[lo] * (1 - weight) + sorted[hi] * weight);
+}
+
+function getActivationDurationStats(target) {
+  const events = readEvents(target);
+  const durations = events
+    .filter((e) => e.event === "first_task"
+      && typeof e.duration_ms === "number"
+      && Number.isFinite(e.duration_ms))
+    .map((e) => e.duration_ms)
+    .sort((a, b) => a - b);
+
+  return {
+    count: durations.length,
+    p50_ms: percentile(durations, 0.5),
+    p90_ms: percentile(durations, 0.9),
+  };
+}
+
+/**
+ * Stats over `first_merged_pr` events — parallel to getActivationDurationStats.
+ * Used by `0dai status` to surface end-to-end activation timing.
+ *
+ * @param {string} target
+ * @returns {{ count: number, p50_ms: number|null, p90_ms: number|null,
+ *             cohorts: { dogfood: number, external: number } }}
+ */
+function getActivationMergedPrStats(target) {
+  const events = readEvents(target);
+  const mergedPrEvents = events.filter((e) => e.event === "first_merged_pr");
+
+  const durations = mergedPrEvents
+    .filter((e) => typeof e.duration_ms === "number" && Number.isFinite(e.duration_ms))
+    .map((e) => e.duration_ms)
+    .sort((a, b) => a - b);
+
+  const cohorts = { dogfood: 0, external: 0 };
+  for (const e of mergedPrEvents) {
+    if (e.cohort === "external") cohorts.external++;
+    else cohorts.dogfood++;
+  }
+
+  return {
+    count: durations.length,
+    p50_ms: percentile(durations, 0.5),
+    p90_ms: percentile(durations, 0.9),
+    cohorts,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
+function formatDurationMs(ms) {
+  if (ms == null) return "?";
+  if (ms < 1000) return `${ms}ms`;
+  if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
+  return `${(ms / 60000).toFixed(1)}m`;
+}
+
+function printActivationStats(target) {
+  const stats = getActivationDurationStats(target);
+  if (stats.count > 0) {
+    console.log(
+      `  activation TTFV: p50 ${formatDurationMs(stats.p50_ms)}`
+      + ` / p90 ${formatDurationMs(stats.p90_ms)}`
+      + ` (${stats.count} sample${stats.count === 1 ? "" : "s"})`,
+    );
+  }
+
+  const mrStats = getActivationMergedPrStats(target);
+  if (mrStats.count > 0) {
+    const cohortNote = mrStats.cohorts.external > 0
+      ? ` [dogfood: ${mrStats.cohorts.dogfood}, external: ${mrStats.cohorts.external}]`
+      : ` [dogfood only — no external activations yet]`;
+    console.log(
+      `  activation first-PR: p50 ${formatDurationMs(mrStats.p50_ms)}`
+      + ` / p90 ${formatDurationMs(mrStats.p90_ms)}`
+      + ` (${mrStats.count} sample${mrStats.count === 1 ? "" : "s"})${cohortNote}`,
+    );
+  }
+
+  return { ttfv: stats, firstPr: mrStats };
+}
+
+module.exports = {
+  activationPath,
+  readEvents,
+  detectCohort,
+  detectFirstMergedPrTs,
+  recordActivationInit,
+  recordActivationFirstTask,
+  recordActivationFirstMergedPR,
+  getActivationDurationStats,
+  getActivationMergedPrStats,
+  printActivationStats,
+  formatDurationMs,
+};

package/lib/utils/constants.js

@@ -46,6 +46,13 @@ const SUPPORTED_CLIS = [
     altAuth: null,
     agentFiles: [".qoder/settings.json"],
   },
+  {
+    name: "cursor", bin: "cursor-agent",
+    pkg: null, pkgType: "curl",
+    install: "curl https://cursor.com/install -fsS | bash",
+    altAuth: "Cursor Pro/Business subscription",
+    agentFiles: [".cursor/mcp.json", ".cursor/hooks.json"],
+  },
 ];
 
 const MANIFEST_FILES = [

package/lib/utils/export-bundler.js

@@ -0,0 +1,285 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2026 0dai.dev
+//
+// F14 G4 Phase 2 — tarball builder for `0dai export --all`.
+//
+// Honors the layout pinned in docs/governance/data-export-contract.md
+// (F14 G4 Phase 1 / PR #3569). Phase 2 ships personas +
+// path-protect.yaml as real data, usage-ledger.jsonl when present,
+// and 6 placeholders for the rest.
+//
+// Uses `tar` shell command (always present on Linux/macOS) rather
+// than the `tar` npm module to avoid a new runtime dep.
+
+"use strict";
+
+const crypto = require("crypto");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+const PHASE = "F14 G4 Phase 2";
+const SCHEMA_VERSION = "1";
+
+const PLACEHOLDER_SURFACES = [
+  // (surface name, tarball relative path)
+  ["knowledge-graph", "knowledge-graph/entries.jsonl"],
+  ["audit-log", "audit-log/events.jsonl"],
+  ["team-config", "team/config.yaml"],
+  ["repo-links", "repo-links.json"],
+  ["webhooks", "webhooks.yaml"],
+  ["feature-flags", "feature-flags.yaml"],
+];
+
+function sha256OfFile(filePath) {
+  const hash = crypto.createHash("sha256");
+  const fd = fs.openSync(filePath, "r");
+  const buf = Buffer.allocUnsafe(1024 * 1024);
+  try {
+    let n = 0;
+    do {
+      n = fs.readSync(fd, buf, 0, buf.length, null);
+      if (n > 0) hash.update(buf.subarray(0, n));
+    } while (n > 0);
+  } finally {
+    fs.closeSync(fd);
+  }
+  return hash.digest("hex");
+}
+
+function sha256OfBytes(bytes) {
+  return crypto.createHash("sha256").update(bytes).digest("hex");
+}
+
+function listPersonas(sourceRoot) {
+  const personasDir = path.join(sourceRoot, "ai", "personas");
+  if (!fs.existsSync(personasDir)) return [];
+  return fs.readdirSync(personasDir)
+    .filter((name) => name.endsWith(".yaml") || name.endsWith(".yml"))
+    .map((name) => ({
+      name,
+      sourcePath: path.join(personasDir, name),
+    }));
+}
+
+function pathProtectPath(sourceRoot) {
+  const p = path.join(sourceRoot, "ai", "policy", "path-protect.yaml");
+  return fs.existsSync(p) ? p : null;
+}
+
+function usageLedgerPath(sourceRoot) {
+  const p = path.join(sourceRoot, "ai", "telemetry", "usage-ledger.jsonl");
+  return fs.existsSync(p) ? p : null;
+}
+
+function readme(tenantId) {
+  return `# 0dai export bundle
+
+Generated by \`0dai export --all\` (F14 G4 Phase 2).
+
+Verify per docs/governance/data-export-contract.md.
+
+Tenant: ${tenantId}
+Schema version: ${SCHEMA_VERSION}
+`;
+}
+
+function placeholderPayload(surface) {
+  return JSON.stringify({
+    _status: "not-implemented",
+    _surface: surface,
+    _since: PHASE,
+    _note: "Phase 3 will populate this surface; today it ships as a placeholder so re-import tooling can validate the layout.",
+  }, null, 2) + "\n";
+}
+
+async function buildExportTarball({ sourceRoot, outputPath }) {
+  if (!sourceRoot || !fs.existsSync(sourceRoot)) {
+    throw new Error(`source root not found: ${sourceRoot}`);
+  }
+  const outDir = path.dirname(path.resolve(outputPath));
+  if (!fs.existsSync(outDir)) {
+    throw new Error(`output dir does not exist: ${outDir}`);
+  }
+
+  const stagingRoot = fs.mkdtempSync(path.join(os.tmpdir(), "0dai-export-"));
+  try {
+    // README.md
+    const tenantId = path.basename(sourceRoot);
+    const readmeBytes = Buffer.from(readme(tenantId), "utf8");
+    fs.writeFileSync(path.join(stagingRoot, "README.md"), readmeBytes);
+
+    // tenant.json (stub — Phase 3 populates from API)
+    const tenantBytes = Buffer.from(JSON.stringify({
+      _status: "stub",
+      _since: PHASE,
+      tenant_id: tenantId,
+      exported_at: new Date().toISOString(),
+    }, null, 2) + "\n", "utf8");
+    fs.writeFileSync(path.join(stagingRoot, "tenant.json"), tenantBytes);
+
+    // personas/<name>.yaml (real data)
+    const personasOutDir = path.join(stagingRoot, "personas");
+    fs.mkdirSync(personasOutDir, { recursive: true });
+    const personas = listPersonas(sourceRoot);
+    const personaManifest = [];
+    for (const p of personas) {
+      const dest = path.join(personasOutDir, p.name);
+      fs.copyFileSync(p.sourcePath, dest);
+      personaManifest.push({
+        path: `personas/${p.name}`,
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      });
+    }
+
+    // path-protect.yaml (real data, if present)
+    const pp = pathProtectPath(sourceRoot);
+    let pathProtectManifest = null;
+    if (pp) {
+      const dest = path.join(stagingRoot, "path-protect.yaml");
+      fs.copyFileSync(pp, dest);
+      pathProtectManifest = {
+        path: "path-protect.yaml",
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      };
+    }
+
+    // usage/history.jsonl (real data from ai/telemetry/usage-ledger.jsonl, if present)
+    // Schema is the LedgerEntry dataclass in scripts/usage_ledger.py (~line 92):
+    // ts, task_id, agent, model, model_tier, tokens_input/output/total, cost_usd, plan, ...
+    const ul = usageLedgerPath(sourceRoot);
+    let usageLedgerManifest = null;
+    if (ul) {
+      const usageOutDir = path.join(stagingRoot, "usage");
+      fs.mkdirSync(usageOutDir, { recursive: true });
+      const dest = path.join(usageOutDir, "history.jsonl");
+      fs.copyFileSync(ul, dest);
+      usageLedgerManifest = {
+        path: "usage/history.jsonl",
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      };
+    }
+
+    // 6 placeholder surfaces
+    const placeholderManifest = [];
+    for (const [surface, relPath] of PLACEHOLDER_SURFACES) {
+      const dest = path.join(stagingRoot, relPath);
+      fs.mkdirSync(path.dirname(dest), { recursive: true });
+      const payload = placeholderPayload(surface);
+      fs.writeFileSync(dest, payload, "utf8");
+      placeholderManifest.push({
+        path: relPath,
+        bytes: Buffer.byteLength(payload, "utf8"),
+        sha256: sha256OfBytes(Buffer.from(payload, "utf8")),
+        status: "not-implemented",
+      });
+    }
+
+    // MANIFEST.json (must come last so other files' checksums are settled)
+    const manifest = {
+      schema_version: SCHEMA_VERSION,
+      generated_at: new Date().toISOString(),
+      since: PHASE,
+      tenant_id: tenantId,
+      files: [
+        { path: "README.md", bytes: readmeBytes.length, sha256: sha256OfBytes(readmeBytes) },
+        { path: "tenant.json", bytes: tenantBytes.length, sha256: sha256OfBytes(tenantBytes) },
+        ...personaManifest,
+        ...(pathProtectManifest ? [pathProtectManifest] : []),
+        ...(usageLedgerManifest ? [usageLedgerManifest] : []),
+        ...placeholderManifest,
+      ],
+    };
+    fs.writeFileSync(
+      path.join(stagingRoot, "MANIFEST.json"),
+      JSON.stringify(manifest, null, 2) + "\n",
+      "utf8",
+    );
+
+    // Create gzipped tarball.
+    const r = spawnSync("tar", ["-czf", path.resolve(outputPath), "-C", stagingRoot, "."]);
+    if (r.status !== 0) {
+      const stderr = r.stderr ? r.stderr.toString("utf8") : "(no stderr)";
+      throw new Error(`tar exited ${r.status}: ${stderr}`);
+    }
+
+    // F14 G4 Phase 3 — try cosign keyless signing. Falls back to
+    // empty .sig + .crt stubs (preserving the layout contract)
+    // when cosign is absent or the operator opts out.
+    const sigPath = `${outputPath}.sig`;
+    const crtPath = `${outputPath}.crt`;
+    const signResult = trySignTarball({
+      tarballPath: path.resolve(outputPath),
+      sigPath,
+      crtPath,
+    });
+
+    return {
+      tarballPath: path.resolve(outputPath),
+      sigPath,
+      crtPath,
+      sha256: sha256OfFile(outputPath),
+      signed: signResult.signed,
+      signSkipReason: signResult.skipReason,
+      counts: {
+        personas: personaManifest.length,
+        pathProtect: pathProtectManifest ? 1 : 0,
+        usageLedger: usageLedgerManifest ? 1 : 0,
+        placeholders: placeholderManifest.length,
+      },
+    };
+  } finally {
+    // Best-effort cleanup; ignore errors.
+    try { fs.rmSync(stagingRoot, { recursive: true, force: true }); } catch { /* ignore */ }
+  }
+}
+
+function trySignTarball({ tarballPath, sigPath, crtPath }) {
+  // F14 G4 Phase 3. Trust anchor matches the F16 G2 release-signing
+  // pipeline (release-artifact-signing.yml from PR #3521).
+  //
+  // Skipped when:
+  //   - ODAI_EXPORT_SKIP_SIGN=1 is set (explicit opt-out)
+  //   - cosign binary is not on PATH (local dev without sigstore)
+  //   - cosign exits non-zero (Fulcio OIDC unavailable, etc.)
+  // In every skip case we write empty .sig + .crt stubs so the
+  // tarball layout contract from F14 G4 Phase 1 (#3569) holds.
+  if (process.env.ODAI_EXPORT_SKIP_SIGN === "1") {
+    fs.writeFileSync(sigPath, "");
+    fs.writeFileSync(crtPath, "");
+    return { signed: false, skipReason: "ODAI_EXPORT_SKIP_SIGN=1" };
+  }
+  // Probe for cosign on PATH without bombing the export when absent.
+  const probe = spawnSync("cosign", ["version"], { stdio: ["ignore", "pipe", "pipe"] });
+  if (probe.error || probe.status !== 0) {
+    fs.writeFileSync(sigPath, "");
+    fs.writeFileSync(crtPath, "");
+    return { signed: false, skipReason: "cosign not on PATH" };
+  }
+  const env = { ...process.env, COSIGN_EXPERIMENTAL: process.env.COSIGN_EXPERIMENTAL || "1" };
+  const r = spawnSync(
+    "cosign",
+    [
+      "sign-blob",
+      "--yes",
+      "--output-signature", sigPath,
+      "--output-certificate", crtPath,
+      tarballPath,
+    ],
+    { env, stdio: ["ignore", "pipe", "pipe"] },
+  );
+  if (r.status !== 0) {
+    // Leave (or write) empty stubs so the layout still holds.
+    try { fs.writeFileSync(sigPath, ""); } catch { /* ignore */ }
+    try { fs.writeFileSync(crtPath, ""); } catch { /* ignore */ }
+    const stderr = r.stderr ? r.stderr.toString("utf8").trim().slice(0, 200) : `exit ${r.status}`;
+    return { signed: false, skipReason: `cosign sign-blob failed: ${stderr}` };
+  }
+  return { signed: true, skipReason: null };
+}
+
+module.exports = { buildExportTarball, listPersonas, pathProtectPath, usageLedgerPath, trySignTarball, PLACEHOLDER_SURFACES, PHASE, SCHEMA_VERSION };

package/lib/utils/identity.js

@@ -148,6 +148,19 @@ function detectStackHint(projectFiles, manifestContents) {
   return "unknown";
 }
 
+/**
+ * Return a {filename: sha256hex} map for the given manifest contents.
+ * The raw content never leaves the machine — only the hash is exported.
+ */
+function hashManifestFiles(manifestContents) {
+  const crypto = require("crypto");
+  const hashes = {};
+  for (const [name, content] of Object.entries(manifestContents)) {
+    hashes[name] = crypto.createHash("sha256").update(content, "utf8").digest("hex");
+  }
+  return hashes;
+}
+
 function collectMetadata(target) {
   const projectFiles = [];
   const manifestContents = {};
@@ -201,5 +214,5 @@ module.exports = {
   deviceFingerprint, registerProject, projectIdFor, projectIdSeed,
   scrubRemoteUrl, readProjectManifest, readDiscovery,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
 };