@adammcarter/use-cases 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agents/skills/migration/SKILL.md +85 -0
- package/.agents/skills/showcase/SKILL.md +60 -0
- package/.agents/skills/use-cases/SKILL.md +161 -0
- package/.agents/skills/walkthrough/SKILL.md +48 -0
- package/.claude-plugin/plugin.json +14 -0
- package/.codex-plugin/plugin.json +33 -0
- package/.mcp.json +8 -0
- package/.opencode/plugin/use-cases.js +32 -0
- package/CHANGELOG.md +125 -0
- package/LICENSE +21 -0
- package/README.md +112 -0
- package/bootstrap/use-cases.md +60 -0
- package/docs/README.md +51 -0
- package/docs/acceptance.md +16 -0
- package/docs/activation.md +89 -0
- package/docs/adr/0001-p0-bootstrap-decisions.md +107 -0
- package/docs/adr/0002-p1-schema-contracts.md +136 -0
- package/docs/adr/0003-p2-use-case-matrix-contracts.md +67 -0
- package/docs/adr/0004-p3-evidence-ledger-contracts.md +85 -0
- package/docs/adr/0005-p4-cli-contract.md +70 -0
- package/docs/adr/0006-trusted-user-approval-path.md +125 -0
- package/docs/cli.md +108 -0
- package/docs/data-model.md +56 -0
- package/docs/getting-started.md +296 -0
- package/docs/hosts.md +30 -0
- package/docs/markers-adoption.md +100 -0
- package/docs/mcp.md +114 -0
- package/docs/migration.md +90 -0
- package/docs/reference/error-codes.md +123 -0
- package/docs/reference/stability.md +123 -0
- package/docs/release.md +26 -0
- package/docs/security/ci-hardening.md +144 -0
- package/docs/security/key-management.md +158 -0
- package/docs/security.md +66 -0
- package/docs/showcase.md +39 -0
- package/docs/tutorials/python-pytest.md +188 -0
- package/examples/basic-product/demo-capsules/product-search.yml +23 -0
- package/examples/basic-product/evidence/by-id/ev/evidence-basic-search.jsonl +1 -0
- package/examples/basic-product/showcase-runs/run.basic.product.search/events.jsonl +4 -0
- package/examples/basic-product/use-cases/product.yml +85 -0
- package/examples/basic-product/use-cases.yml +9 -0
- package/examples/damaged-product/evidence/broken.jsonl +1 -0
- package/examples/damaged-product/use-cases/duplicate-a.yml +28 -0
- package/examples/damaged-product/use-cases/duplicate-b.yml +28 -0
- package/examples/damaged-product/use-cases/malformed.yml +14 -0
- package/examples/damaged-product/use-cases/valid-sibling.yml +28 -0
- package/examples/damaged-product/use-cases.yml +9 -0
- package/examples/host-projections/use-cases.yml +9 -0
- package/examples/python-pytest/README.md +39 -0
- package/examples/python-pytest/pytest.ini +8 -0
- package/examples/python-pytest/src/coupon.py +32 -0
- package/examples/python-pytest/tests/use_cases/example.checkout.apply_coupon_test.py +31 -0
- package/examples/python-pytest/use-cases/checkout.yml +47 -0
- package/examples/python-pytest/use-cases.yml +19 -0
- package/hooks/hooks-codex.json +16 -0
- package/hooks/hooks.json +16 -0
- package/hooks/session-start +42 -0
- package/hosts/claude.yml +29 -0
- package/hosts/codex.yml +29 -0
- package/hosts/copilot.yml +29 -0
- package/hosts/opencode.yml +29 -0
- package/package.json +81 -0
- package/packages/cli/README.md +37 -0
- package/packages/cli/dist/args/parse.d.ts +6 -0
- package/packages/cli/dist/args/parse.d.ts.map +1 -0
- package/packages/cli/dist/args/parse.js +55 -0
- package/packages/cli/dist/args/parse.js.map +1 -0
- package/packages/cli/dist/args/validate.d.ts +3 -0
- package/packages/cli/dist/args/validate.d.ts.map +1 -0
- package/packages/cli/dist/args/validate.js +80 -0
- package/packages/cli/dist/args/validate.js.map +1 -0
- package/packages/cli/dist/builtins.d.ts +2 -0
- package/packages/cli/dist/builtins.d.ts.map +1 -0
- package/packages/cli/dist/builtins.js +235 -0
- package/packages/cli/dist/builtins.js.map +1 -0
- package/packages/cli/dist/command/dispatch.d.ts +4 -0
- package/packages/cli/dist/command/dispatch.d.ts.map +1 -0
- package/packages/cli/dist/command/dispatch.js +45 -0
- package/packages/cli/dist/command/dispatch.js.map +1 -0
- package/packages/cli/dist/command/help-catalog.d.ts +13 -0
- package/packages/cli/dist/command/help-catalog.d.ts.map +1 -0
- package/packages/cli/dist/command/help-catalog.js +42 -0
- package/packages/cli/dist/command/help-catalog.js.map +1 -0
- package/packages/cli/dist/command/registry.d.ts +3 -0
- package/packages/cli/dist/command/registry.d.ts.map +1 -0
- package/packages/cli/dist/command/registry.js +33 -0
- package/packages/cli/dist/command/registry.js.map +1 -0
- package/packages/cli/dist/command/types.d.ts +32 -0
- package/packages/cli/dist/command/types.d.ts.map +1 -0
- package/packages/cli/dist/command/types.js +6 -0
- package/packages/cli/dist/command/types.js.map +1 -0
- package/packages/cli/dist/commands/capsule.d.ts +7 -0
- package/packages/cli/dist/commands/capsule.d.ts.map +1 -0
- package/packages/cli/dist/commands/capsule.js +178 -0
- package/packages/cli/dist/commands/capsule.js.map +1 -0
- package/packages/cli/dist/commands/common.d.ts +7 -0
- package/packages/cli/dist/commands/common.d.ts.map +1 -0
- package/packages/cli/dist/commands/common.js +32 -0
- package/packages/cli/dist/commands/common.js.map +1 -0
- package/packages/cli/dist/commands/doctor.d.ts +6 -0
- package/packages/cli/dist/commands/doctor.d.ts.map +1 -0
- package/packages/cli/dist/commands/doctor.js +133 -0
- package/packages/cli/dist/commands/doctor.js.map +1 -0
- package/packages/cli/dist/commands/evidence.d.ts +6 -0
- package/packages/cli/dist/commands/evidence.d.ts.map +1 -0
- package/packages/cli/dist/commands/evidence.js +191 -0
- package/packages/cli/dist/commands/evidence.js.map +1 -0
- package/packages/cli/dist/commands/host.d.ts +6 -0
- package/packages/cli/dist/commands/host.d.ts.map +1 -0
- package/packages/cli/dist/commands/host.js +180 -0
- package/packages/cli/dist/commands/host.js.map +1 -0
- package/packages/cli/dist/commands/keygen.d.ts +4 -0
- package/packages/cli/dist/commands/keygen.d.ts.map +1 -0
- package/packages/cli/dist/commands/keygen.js +132 -0
- package/packages/cli/dist/commands/keygen.js.map +1 -0
- package/packages/cli/dist/commands/markers.d.ts +8 -0
- package/packages/cli/dist/commands/markers.d.ts.map +1 -0
- package/packages/cli/dist/commands/markers.js +455 -0
- package/packages/cli/dist/commands/markers.js.map +1 -0
- package/packages/cli/dist/commands/matrix.d.ts +8 -0
- package/packages/cli/dist/commands/matrix.d.ts.map +1 -0
- package/packages/cli/dist/commands/matrix.js +237 -0
- package/packages/cli/dist/commands/matrix.js.map +1 -0
- package/packages/cli/dist/commands/migrate.d.ts +4 -0
- package/packages/cli/dist/commands/migrate.d.ts.map +1 -0
- package/packages/cli/dist/commands/migrate.js +82 -0
- package/packages/cli/dist/commands/migrate.js.map +1 -0
- package/packages/cli/dist/commands/plan.d.ts +6 -0
- package/packages/cli/dist/commands/plan.d.ts.map +1 -0
- package/packages/cli/dist/commands/plan.js +129 -0
- package/packages/cli/dist/commands/plan.js.map +1 -0
- package/packages/cli/dist/commands/recover.d.ts +4 -0
- package/packages/cli/dist/commands/recover.d.ts.map +1 -0
- package/packages/cli/dist/commands/recover.js +352 -0
- package/packages/cli/dist/commands/recover.js.map +1 -0
- package/packages/cli/dist/commands/schema.d.ts +5 -0
- package/packages/cli/dist/commands/schema.d.ts.map +1 -0
- package/packages/cli/dist/commands/schema.js +51 -0
- package/packages/cli/dist/commands/schema.js.map +1 -0
- package/packages/cli/dist/commands/showcase.d.ts +14 -0
- package/packages/cli/dist/commands/showcase.d.ts.map +1 -0
- package/packages/cli/dist/commands/showcase.js +638 -0
- package/packages/cli/dist/commands/showcase.js.map +1 -0
- package/packages/cli/dist/commands/workflow.d.ts +5 -0
- package/packages/cli/dist/commands/workflow.d.ts.map +1 -0
- package/packages/cli/dist/commands/workflow.js +107 -0
- package/packages/cli/dist/commands/workflow.js.map +1 -0
- package/packages/cli/dist/coreLoader.d.ts +6 -0
- package/packages/cli/dist/coreLoader.d.ts.map +1 -0
- package/packages/cli/dist/coreLoader.js +34 -0
- package/packages/cli/dist/coreLoader.js.map +1 -0
- package/packages/cli/dist/index.d.ts +5 -0
- package/packages/cli/dist/index.d.ts.map +1 -0
- package/packages/cli/dist/index.js +83 -0
- package/packages/cli/dist/index.js.map +1 -0
- package/packages/cli/dist/render.d.ts +2 -0
- package/packages/cli/dist/render.d.ts.map +1 -0
- package/packages/cli/dist/render.js +88 -0
- package/packages/cli/dist/render.js.map +1 -0
- package/packages/cli/dist/runtime.d.ts +25 -0
- package/packages/cli/dist/runtime.d.ts.map +1 -0
- package/packages/cli/dist/runtime.js +89 -0
- package/packages/cli/dist/runtime.js.map +1 -0
- package/packages/cli/package.json +38 -0
- package/packages/core/README.md +37 -0
- package/packages/core/dist/capsules/index.d.ts +4 -0
- package/packages/core/dist/capsules/index.d.ts.map +1 -0
- package/packages/core/dist/capsules/index.js +4 -0
- package/packages/core/dist/capsules/index.js.map +1 -0
- package/packages/core/dist/capsules/loadCapsule.d.ts +11 -0
- package/packages/core/dist/capsules/loadCapsule.d.ts.map +1 -0
- package/packages/core/dist/capsules/loadCapsule.js +167 -0
- package/packages/core/dist/capsules/loadCapsule.js.map +1 -0
- package/packages/core/dist/capsules/runCapsule.d.ts +3 -0
- package/packages/core/dist/capsules/runCapsule.d.ts.map +1 -0
- package/packages/core/dist/capsules/runCapsule.js +333 -0
- package/packages/core/dist/capsules/runCapsule.js.map +1 -0
- package/packages/core/dist/capsules/types.d.ts +106 -0
- package/packages/core/dist/capsules/types.d.ts.map +1 -0
- package/packages/core/dist/capsules/types.js +2 -0
- package/packages/core/dist/capsules/types.js.map +1 -0
- package/packages/core/dist/durableWrite.d.ts +2 -0
- package/packages/core/dist/durableWrite.d.ts.map +1 -0
- package/packages/core/dist/durableWrite.js +34 -0
- package/packages/core/dist/durableWrite.js.map +1 -0
- package/packages/core/dist/errors/registry.d.ts +122 -0
- package/packages/core/dist/errors/registry.d.ts.map +1 -0
- package/packages/core/dist/errors/registry.js +206 -0
- package/packages/core/dist/errors/registry.js.map +1 -0
- package/packages/core/dist/errors/render.d.ts +3 -0
- package/packages/core/dist/errors/render.d.ts.map +1 -0
- package/packages/core/dist/errors/render.js +64 -0
- package/packages/core/dist/errors/render.js.map +1 -0
- package/packages/core/dist/errors.d.ts +5 -0
- package/packages/core/dist/errors.d.ts.map +1 -0
- package/packages/core/dist/errors.js +9 -0
- package/packages/core/dist/errors.js.map +1 -0
- package/packages/core/dist/evidence/appendEvidenceEvent.d.ts +27 -0
- package/packages/core/dist/evidence/appendEvidenceEvent.d.ts.map +1 -0
- package/packages/core/dist/evidence/appendEvidenceEvent.js +218 -0
- package/packages/core/dist/evidence/appendEvidenceEvent.js.map +1 -0
- package/packages/core/dist/evidence/assurance.d.ts +18 -0
- package/packages/core/dist/evidence/assurance.d.ts.map +1 -0
- package/packages/core/dist/evidence/assurance.js +38 -0
- package/packages/core/dist/evidence/assurance.js.map +1 -0
- package/packages/core/dist/evidence/index.d.ts +8 -0
- package/packages/core/dist/evidence/index.d.ts.map +1 -0
- package/packages/core/dist/evidence/index.js +8 -0
- package/packages/core/dist/evidence/index.js.map +1 -0
- package/packages/core/dist/evidence/jsonlLedger.d.ts +13 -0
- package/packages/core/dist/evidence/jsonlLedger.d.ts.map +1 -0
- package/packages/core/dist/evidence/jsonlLedger.js +171 -0
- package/packages/core/dist/evidence/jsonlLedger.js.map +1 -0
- package/packages/core/dist/evidence/linkEvidence.d.ts +4 -0
- package/packages/core/dist/evidence/linkEvidence.d.ts.map +1 -0
- package/packages/core/dist/evidence/linkEvidence.js +53 -0
- package/packages/core/dist/evidence/linkEvidence.js.map +1 -0
- package/packages/core/dist/evidence/replayEvidence.d.ts +6 -0
- package/packages/core/dist/evidence/replayEvidence.d.ts.map +1 -0
- package/packages/core/dist/evidence/replayEvidence.js +216 -0
- package/packages/core/dist/evidence/replayEvidence.js.map +1 -0
- package/packages/core/dist/evidence/results.d.ts +4 -0
- package/packages/core/dist/evidence/results.d.ts.map +1 -0
- package/packages/core/dist/evidence/results.js +32 -0
- package/packages/core/dist/evidence/results.js.map +1 -0
- package/packages/core/dist/evidence/types.d.ts +149 -0
- package/packages/core/dist/evidence/types.d.ts.map +1 -0
- package/packages/core/dist/evidence/types.js +2 -0
- package/packages/core/dist/evidence/types.js.map +1 -0
- package/packages/core/dist/host-profiles/claude.yml +29 -0
- package/packages/core/dist/host-profiles/codex.yml +29 -0
- package/packages/core/dist/host-profiles/copilot.yml +29 -0
- package/packages/core/dist/host-profiles/opencode.yml +29 -0
- package/packages/core/dist/hosts/conformanceStatus.d.ts +16 -0
- package/packages/core/dist/hosts/conformanceStatus.d.ts.map +1 -0
- package/packages/core/dist/hosts/conformanceStatus.js +160 -0
- package/packages/core/dist/hosts/conformanceStatus.js.map +1 -0
- package/packages/core/dist/hosts/index.d.ts +5 -0
- package/packages/core/dist/hosts/index.d.ts.map +1 -0
- package/packages/core/dist/hosts/index.js +5 -0
- package/packages/core/dist/hosts/index.js.map +1 -0
- package/packages/core/dist/hosts/loadHostProfile.d.ts +6 -0
- package/packages/core/dist/hosts/loadHostProfile.d.ts.map +1 -0
- package/packages/core/dist/hosts/loadHostProfile.js +41 -0
- package/packages/core/dist/hosts/loadHostProfile.js.map +1 -0
- package/packages/core/dist/hosts/projectHostFiles.d.ts +16 -0
- package/packages/core/dist/hosts/projectHostFiles.d.ts.map +1 -0
- package/packages/core/dist/hosts/projectHostFiles.js +272 -0
- package/packages/core/dist/hosts/projectHostFiles.js.map +1 -0
- package/packages/core/dist/hosts/types.d.ts +122 -0
- package/packages/core/dist/hosts/types.d.ts.map +1 -0
- package/packages/core/dist/hosts/types.js +2 -0
- package/packages/core/dist/hosts/types.js.map +1 -0
- package/packages/core/dist/index.d.ts +26 -0
- package/packages/core/dist/index.d.ts.map +1 -0
- package/packages/core/dist/index.js +31 -0
- package/packages/core/dist/index.js.map +1 -0
- package/packages/core/dist/init/index.d.ts +2 -0
- package/packages/core/dist/init/index.d.ts.map +1 -0
- package/packages/core/dist/init/index.js +3 -0
- package/packages/core/dist/init/index.js.map +1 -0
- package/packages/core/dist/init/scaffold.d.ts +28 -0
- package/packages/core/dist/init/scaffold.d.ts.map +1 -0
- package/packages/core/dist/init/scaffold.js +293 -0
- package/packages/core/dist/init/scaffold.js.map +1 -0
- package/packages/core/dist/markers/appendOnly.d.ts +23 -0
- package/packages/core/dist/markers/appendOnly.d.ts.map +1 -0
- package/packages/core/dist/markers/appendOnly.js +75 -0
- package/packages/core/dist/markers/appendOnly.js.map +1 -0
- package/packages/core/dist/markers/bindingSetHash.d.ts +28 -0
- package/packages/core/dist/markers/bindingSetHash.d.ts.map +1 -0
- package/packages/core/dist/markers/bindingSetHash.js +33 -0
- package/packages/core/dist/markers/bindingSetHash.js.map +1 -0
- package/packages/core/dist/markers/canonicalJson.d.ts +4 -0
- package/packages/core/dist/markers/canonicalJson.d.ts.map +1 -0
- package/packages/core/dist/markers/canonicalJson.js +51 -0
- package/packages/core/dist/markers/canonicalJson.js.map +1 -0
- package/packages/core/dist/markers/ciAuthority.d.ts +17 -0
- package/packages/core/dist/markers/ciAuthority.d.ts.map +1 -0
- package/packages/core/dist/markers/ciAuthority.js +131 -0
- package/packages/core/dist/markers/ciAuthority.js.map +1 -0
- package/packages/core/dist/markers/cli/bind.d.ts +48 -0
- package/packages/core/dist/markers/cli/bind.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/bind.js +198 -0
- package/packages/core/dist/markers/cli/bind.js.map +1 -0
- package/packages/core/dist/markers/cli/index.d.ts +9 -0
- package/packages/core/dist/markers/cli/index.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/index.js +15 -0
- package/packages/core/dist/markers/cli/index.js.map +1 -0
- package/packages/core/dist/markers/cli/io.d.ts +18 -0
- package/packages/core/dist/markers/cli/io.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/io.js +62 -0
- package/packages/core/dist/markers/cli/io.js.map +1 -0
- package/packages/core/dist/markers/cli/precommit.d.ts +32 -0
- package/packages/core/dist/markers/cli/precommit.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/precommit.js +174 -0
- package/packages/core/dist/markers/cli/precommit.js.map +1 -0
- package/packages/core/dist/markers/cli/prove.d.ts +69 -0
- package/packages/core/dist/markers/cli/prove.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/prove.js +381 -0
- package/packages/core/dist/markers/cli/prove.js.map +1 -0
- package/packages/core/dist/markers/cli/scan.d.ts +63 -0
- package/packages/core/dist/markers/cli/scan.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/scan.js +233 -0
- package/packages/core/dist/markers/cli/scan.js.map +1 -0
- package/packages/core/dist/markers/cli/shared.d.ts +25 -0
- package/packages/core/dist/markers/cli/shared.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/shared.js +123 -0
- package/packages/core/dist/markers/cli/shared.js.map +1 -0
- package/packages/core/dist/markers/cli/validateLedger.d.ts +38 -0
- package/packages/core/dist/markers/cli/validateLedger.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/validateLedger.js +81 -0
- package/packages/core/dist/markers/cli/validateLedger.js.map +1 -0
- package/packages/core/dist/markers/cli/verify.d.ts +65 -0
- package/packages/core/dist/markers/cli/verify.d.ts.map +1 -0
- package/packages/core/dist/markers/cli/verify.js +245 -0
- package/packages/core/dist/markers/cli/verify.js.map +1 -0
- package/packages/core/dist/markers/commentPrefix.d.ts +7 -0
- package/packages/core/dist/markers/commentPrefix.d.ts.map +1 -0
- package/packages/core/dist/markers/commentPrefix.js +79 -0
- package/packages/core/dist/markers/commentPrefix.js.map +1 -0
- package/packages/core/dist/markers/constants.d.ts +10 -0
- package/packages/core/dist/markers/constants.d.ts.map +1 -0
- package/packages/core/dist/markers/constants.js +13 -0
- package/packages/core/dist/markers/constants.js.map +1 -0
- package/packages/core/dist/markers/evidenceLedger.d.ts +150 -0
- package/packages/core/dist/markers/evidenceLedger.d.ts.map +1 -0
- package/packages/core/dist/markers/evidenceLedger.js +391 -0
- package/packages/core/dist/markers/evidenceLedger.js.map +1 -0
- package/packages/core/dist/markers/freshness.d.ts +125 -0
- package/packages/core/dist/markers/freshness.d.ts.map +1 -0
- package/packages/core/dist/markers/freshness.js +605 -0
- package/packages/core/dist/markers/freshness.js.map +1 -0
- package/packages/core/dist/markers/index.d.ts +26 -0
- package/packages/core/dist/markers/index.d.ts.map +1 -0
- package/packages/core/dist/markers/index.js +38 -0
- package/packages/core/dist/markers/index.js.map +1 -0
- package/packages/core/dist/markers/keygen.d.ts +6 -0
- package/packages/core/dist/markers/keygen.d.ts.map +1 -0
- package/packages/core/dist/markers/keygen.js +18 -0
- package/packages/core/dist/markers/keygen.js.map +1 -0
- package/packages/core/dist/markers/keyring.d.ts +23 -0
- package/packages/core/dist/markers/keyring.d.ts.map +1 -0
- package/packages/core/dist/markers/keyring.js +93 -0
- package/packages/core/dist/markers/keyring.js.map +1 -0
- package/packages/core/dist/markers/markerLine.d.ts +35 -0
- package/packages/core/dist/markers/markerLine.d.ts.map +1 -0
- package/packages/core/dist/markers/markerLine.js +125 -0
- package/packages/core/dist/markers/markerLine.js.map +1 -0
- package/packages/core/dist/markers/physicalLines.d.ts +10 -0
- package/packages/core/dist/markers/physicalLines.d.ts.map +1 -0
- package/packages/core/dist/markers/physicalLines.js +48 -0
- package/packages/core/dist/markers/physicalLines.js.map +1 -0
- package/packages/core/dist/markers/policyHash.d.ts +4 -0
- package/packages/core/dist/markers/policyHash.d.ts.map +1 -0
- package/packages/core/dist/markers/policyHash.js +14 -0
- package/packages/core/dist/markers/policyHash.js.map +1 -0
- package/packages/core/dist/markers/proofSignature.d.ts +29 -0
- package/packages/core/dist/markers/proofSignature.d.ts.map +1 -0
- package/packages/core/dist/markers/proofSignature.js +106 -0
- package/packages/core/dist/markers/proofSignature.js.map +1 -0
- package/packages/core/dist/markers/reconcile.d.ts +26 -0
- package/packages/core/dist/markers/reconcile.d.ts.map +1 -0
- package/packages/core/dist/markers/reconcile.js +52 -0
- package/packages/core/dist/markers/reconcile.js.map +1 -0
- package/packages/core/dist/markers/registry.d.ts +53 -0
- package/packages/core/dist/markers/registry.d.ts.map +1 -0
- package/packages/core/dist/markers/registry.js +161 -0
- package/packages/core/dist/markers/registry.js.map +1 -0
- package/packages/core/dist/markers/rowHash.d.ts +2 -0
- package/packages/core/dist/markers/rowHash.d.ts.map +1 -0
- package/packages/core/dist/markers/rowHash.js +10 -0
- package/packages/core/dist/markers/rowHash.js.map +1 -0
- package/packages/core/dist/markers/scanner.d.ts +67 -0
- package/packages/core/dist/markers/scanner.d.ts.map +1 -0
- package/packages/core/dist/markers/scanner.js +292 -0
- package/packages/core/dist/markers/scanner.js.map +1 -0
- package/packages/core/dist/markers/schemas/binding-registry-event.schema.json +41 -0
- package/packages/core/dist/markers/schemas/freshness-status.schema.json +134 -0
- package/packages/core/dist/markers/schemas/proof-event.schema.json +170 -0
- package/packages/core/dist/markers/spanCanon.d.ts +4 -0
- package/packages/core/dist/markers/spanCanon.d.ts.map +1 -0
- package/packages/core/dist/markers/spanCanon.js +42 -0
- package/packages/core/dist/markers/spanCanon.js.map +1 -0
- package/packages/core/dist/markers/swiftFuncRecognizer.d.ts +36 -0
- package/packages/core/dist/markers/swiftFuncRecognizer.d.ts.map +1 -0
- package/packages/core/dist/markers/swiftFuncRecognizer.js +638 -0
- package/packages/core/dist/markers/swiftFuncRecognizer.js.map +1 -0
- package/packages/core/dist/markers/validators.d.ts +13 -0
- package/packages/core/dist/markers/validators.d.ts.map +1 -0
- package/packages/core/dist/markers/validators.js +64 -0
- package/packages/core/dist/markers/validators.js.map +1 -0
- package/packages/core/dist/markers/verificationContextHash.d.ts +23 -0
- package/packages/core/dist/markers/verificationContextHash.d.ts.map +1 -0
- package/packages/core/dist/markers/verificationContextHash.js +96 -0
- package/packages/core/dist/markers/verificationContextHash.js.map +1 -0
- package/packages/core/dist/markers/verifierPresets.d.ts +18 -0
- package/packages/core/dist/markers/verifierPresets.d.ts.map +1 -0
- package/packages/core/dist/markers/verifierPresets.js +71 -0
- package/packages/core/dist/markers/verifierPresets.js.map +1 -0
- package/packages/core/dist/markers/verifierResolver.d.ts +27 -0
- package/packages/core/dist/markers/verifierResolver.d.ts.map +1 -0
- package/packages/core/dist/markers/verifierResolver.js +151 -0
- package/packages/core/dist/markers/verifierResolver.js.map +1 -0
- package/packages/core/dist/migration/index.d.ts +2 -0
- package/packages/core/dist/migration/index.d.ts.map +1 -0
- package/packages/core/dist/migration/index.js +2 -0
- package/packages/core/dist/migration/index.js.map +1 -0
- package/packages/core/dist/migration/testMatrix.d.ts +42 -0
- package/packages/core/dist/migration/testMatrix.d.ts.map +1 -0
- package/packages/core/dist/migration/testMatrix.js +351 -0
- package/packages/core/dist/migration/testMatrix.js.map +1 -0
- package/packages/core/dist/package/index.d.ts +2 -0
- package/packages/core/dist/package/index.d.ts.map +1 -0
- package/packages/core/dist/package/index.js +2 -0
- package/packages/core/dist/package/index.js.map +1 -0
- package/packages/core/dist/package/inspectPackage.d.ts +67 -0
- package/packages/core/dist/package/inspectPackage.d.ts.map +1 -0
- package/packages/core/dist/package/inspectPackage.js +371 -0
- package/packages/core/dist/package/inspectPackage.js.map +1 -0
- package/packages/core/dist/presentation/candidates.d.ts +13 -0
- package/packages/core/dist/presentation/candidates.d.ts.map +1 -0
- package/packages/core/dist/presentation/candidates.js +86 -0
- package/packages/core/dist/presentation/candidates.js.map +1 -0
- package/packages/core/dist/presentation/index.d.ts +8 -0
- package/packages/core/dist/presentation/index.d.ts.map +1 -0
- package/packages/core/dist/presentation/index.js +8 -0
- package/packages/core/dist/presentation/index.js.map +1 -0
- package/packages/core/dist/presentation/items.d.ts +18 -0
- package/packages/core/dist/presentation/items.d.ts.map +1 -0
- package/packages/core/dist/presentation/items.js +228 -0
- package/packages/core/dist/presentation/items.js.map +1 -0
- package/packages/core/dist/presentation/ordering.d.ts +8 -0
- package/packages/core/dist/presentation/ordering.d.ts.map +1 -0
- package/packages/core/dist/presentation/ordering.js +31 -0
- package/packages/core/dist/presentation/ordering.js.map +1 -0
- package/packages/core/dist/presentation/planHelpers.d.ts +26 -0
- package/packages/core/dist/presentation/planHelpers.d.ts.map +1 -0
- package/packages/core/dist/presentation/planHelpers.js +62 -0
- package/packages/core/dist/presentation/planHelpers.js.map +1 -0
- package/packages/core/dist/presentation/presentationFormat.d.ts +39 -0
- package/packages/core/dist/presentation/presentationFormat.d.ts.map +1 -0
- package/packages/core/dist/presentation/presentationFormat.js +58 -0
- package/packages/core/dist/presentation/presentationFormat.js.map +1 -0
- package/packages/core/dist/presentation/renderCard.d.ts +37 -0
- package/packages/core/dist/presentation/renderCard.d.ts.map +1 -0
- package/packages/core/dist/presentation/renderCard.js +129 -0
- package/packages/core/dist/presentation/renderCard.js.map +1 -0
- package/packages/core/dist/presentation/scoring.d.ts +10 -0
- package/packages/core/dist/presentation/scoring.d.ts.map +1 -0
- package/packages/core/dist/presentation/scoring.js +82 -0
- package/packages/core/dist/presentation/scoring.js.map +1 -0
- package/packages/core/dist/presentation/selectPlan.d.ts +4 -0
- package/packages/core/dist/presentation/selectPlan.d.ts.map +1 -0
- package/packages/core/dist/presentation/selectPlan.js +122 -0
- package/packages/core/dist/presentation/selectPlan.js.map +1 -0
- package/packages/core/dist/presentation/selectShowcasePlan.d.ts +3 -0
- package/packages/core/dist/presentation/selectShowcasePlan.d.ts.map +1 -0
- package/packages/core/dist/presentation/selectShowcasePlan.js +6 -0
- package/packages/core/dist/presentation/selectShowcasePlan.js.map +1 -0
- package/packages/core/dist/presentation/selectWalkthroughPlan.d.ts +3 -0
- package/packages/core/dist/presentation/selectWalkthroughPlan.d.ts.map +1 -0
- package/packages/core/dist/presentation/selectWalkthroughPlan.js +6 -0
- package/packages/core/dist/presentation/selectWalkthroughPlan.js.map +1 -0
- package/packages/core/dist/presentation/selection.d.ts +7 -0
- package/packages/core/dist/presentation/selection.d.ts.map +1 -0
- package/packages/core/dist/presentation/selection.js +20 -0
- package/packages/core/dist/presentation/selection.js.map +1 -0
- package/packages/core/dist/presentation/snapshot.d.ts +12 -0
- package/packages/core/dist/presentation/snapshot.d.ts.map +1 -0
- package/packages/core/dist/presentation/snapshot.js +53 -0
- package/packages/core/dist/presentation/snapshot.js.map +1 -0
- package/packages/core/dist/presentation/types.d.ts +172 -0
- package/packages/core/dist/presentation/types.d.ts.map +1 -0
- package/packages/core/dist/presentation/types.js +2 -0
- package/packages/core/dist/presentation/types.js.map +1 -0
- package/packages/core/dist/redact.d.ts +11 -0
- package/packages/core/dist/redact.d.ts.map +1 -0
- package/packages/core/dist/redact.js +17 -0
- package/packages/core/dist/redact.js.map +1 -0
- package/packages/core/dist/roots.d.ts +81 -0
- package/packages/core/dist/roots.d.ts.map +1 -0
- package/packages/core/dist/roots.js +220 -0
- package/packages/core/dist/roots.js.map +1 -0
- package/packages/core/dist/schema/cliResult.d.ts +34 -0
- package/packages/core/dist/schema/cliResult.d.ts.map +1 -0
- package/packages/core/dist/schema/cliResult.js +35 -0
- package/packages/core/dist/schema/cliResult.js.map +1 -0
- package/packages/core/dist/schema/diagnostic.d.ts +26 -0
- package/packages/core/dist/schema/diagnostic.d.ts.map +1 -0
- package/packages/core/dist/schema/diagnostic.js +28 -0
- package/packages/core/dist/schema/diagnostic.js.map +1 -0
- package/packages/core/dist/schema/index.d.ts +8 -0
- package/packages/core/dist/schema/index.d.ts.map +1 -0
- package/packages/core/dist/schema/index.js +9 -0
- package/packages/core/dist/schema/index.js.map +1 -0
- package/packages/core/dist/schema/registry.d.ts +15 -0
- package/packages/core/dist/schema/registry.d.ts.map +1 -0
- package/packages/core/dist/schema/registry.js +206 -0
- package/packages/core/dist/schema/registry.js.map +1 -0
- package/packages/core/dist/schema/syntheticContracts.d.ts +3 -0
- package/packages/core/dist/schema/syntheticContracts.d.ts.map +1 -0
- package/packages/core/dist/schema/syntheticContracts.js +342 -0
- package/packages/core/dist/schema/syntheticContracts.js.map +1 -0
- package/packages/core/dist/schema/validate.d.ts +21 -0
- package/packages/core/dist/schema/validate.d.ts.map +1 -0
- package/packages/core/dist/schema/validate.js +210 -0
- package/packages/core/dist/schema/validate.js.map +1 -0
- package/packages/core/dist/schemas/v1/authority.schema.json +70 -0
- package/packages/core/dist/schemas/v1/cli-result.schema.json +30 -0
- package/packages/core/dist/schemas/v1/common.schema.json +274 -0
- package/packages/core/dist/schemas/v1/demo-capsule.schema.json +78 -0
- package/packages/core/dist/schemas/v1/evidence-append-result.schema.json +14 -0
- package/packages/core/dist/schemas/v1/evidence-event.schema.json +181 -0
- package/packages/core/dist/schemas/v1/evidence-status-result.schema.json +68 -0
- package/packages/core/dist/schemas/v1/host-profile.schema.json +94 -0
- package/packages/core/dist/schemas/v1/host-status-result.schema.json +49 -0
- package/packages/core/dist/schemas/v1/keyring.schema.json +77 -0
- package/packages/core/dist/schemas/v1/ledger.schema.json +99 -0
- package/packages/core/dist/schemas/v1/marker.schema.json +84 -0
- package/packages/core/dist/schemas/v1/matrix-list-result.schema.json +67 -0
- package/packages/core/dist/schemas/v1/matrix-mutation-result.schema.json +49 -0
- package/packages/core/dist/schemas/v1/matrix-validation-result.schema.json +77 -0
- package/packages/core/dist/schemas/v1/mcp-tool-results.schema.json +34 -0
- package/packages/core/dist/schemas/v1/migration-test-matrix-result.schema.json +76 -0
- package/packages/core/dist/schemas/v1/presentation-plan-result.schema.json +62 -0
- package/packages/core/dist/schemas/v1/presentation-plan.schema.json +259 -0
- package/packages/core/dist/schemas/v1/release-gate-result.schema.json +136 -0
- package/packages/core/dist/schemas/v1/showcase-approval-result.schema.json +5 -0
- package/packages/core/dist/schemas/v1/showcase-event-append-result.schema.json +17 -0
- package/packages/core/dist/schemas/v1/showcase-event.schema.json +235 -0
- package/packages/core/dist/schemas/v1/showcase-finish-result.schema.json +5 -0
- package/packages/core/dist/schemas/v1/showcase-run-status-result.schema.json +70 -0
- package/packages/core/dist/schemas/v1/showcase-start-result.schema.json +5 -0
- package/packages/core/dist/schemas/v1/use-case-file.schema.json +178 -0
- package/packages/core/dist/schemas/v1/workflow-mode.schema.json +16 -0
- package/packages/core/dist/schemas/v1/workspace-config.schema.json +58 -0
- package/packages/core/dist/showcase/appendShowcaseEvent.d.ts +116 -0
- package/packages/core/dist/showcase/appendShowcaseEvent.d.ts.map +1 -0
- package/packages/core/dist/showcase/appendShowcaseEvent.js +353 -0
- package/packages/core/dist/showcase/appendShowcaseEvent.js.map +1 -0
- package/packages/core/dist/showcase/approval.d.ts +2 -0
- package/packages/core/dist/showcase/approval.d.ts.map +1 -0
- package/packages/core/dist/showcase/approval.js +2 -0
- package/packages/core/dist/showcase/approval.js.map +1 -0
- package/packages/core/dist/showcase/approvalAuthority.d.ts +19 -0
- package/packages/core/dist/showcase/approvalAuthority.d.ts.map +1 -0
- package/packages/core/dist/showcase/approvalAuthority.js +46 -0
- package/packages/core/dist/showcase/approvalAuthority.js.map +1 -0
- package/packages/core/dist/showcase/index.d.ts +11 -0
- package/packages/core/dist/showcase/index.d.ts.map +1 -0
- package/packages/core/dist/showcase/index.js +11 -0
- package/packages/core/dist/showcase/index.js.map +1 -0
- package/packages/core/dist/showcase/jsonlLedger.d.ts +11 -0
- package/packages/core/dist/showcase/jsonlLedger.d.ts.map +1 -0
- package/packages/core/dist/showcase/jsonlLedger.js +50 -0
- package/packages/core/dist/showcase/jsonlLedger.js.map +1 -0
- package/packages/core/dist/showcase/planBinding.d.ts +5 -0
- package/packages/core/dist/showcase/planBinding.d.ts.map +1 -0
- package/packages/core/dist/showcase/planBinding.js +33 -0
- package/packages/core/dist/showcase/planBinding.js.map +1 -0
- package/packages/core/dist/showcase/replayRun.d.ts +5 -0
- package/packages/core/dist/showcase/replayRun.d.ts.map +1 -0
- package/packages/core/dist/showcase/replayRun.js +199 -0
- package/packages/core/dist/showcase/replayRun.js.map +1 -0
- package/packages/core/dist/showcase/results.d.ts +3 -0
- package/packages/core/dist/showcase/results.d.ts.map +1 -0
- package/packages/core/dist/showcase/results.js +4 -0
- package/packages/core/dist/showcase/results.js.map +1 -0
- package/packages/core/dist/showcase/revisionEpochs.d.ts +2 -0
- package/packages/core/dist/showcase/revisionEpochs.d.ts.map +1 -0
- package/packages/core/dist/showcase/revisionEpochs.js +2 -0
- package/packages/core/dist/showcase/revisionEpochs.js.map +1 -0
- package/packages/core/dist/showcase/startRun.d.ts +2 -0
- package/packages/core/dist/showcase/startRun.d.ts.map +1 -0
- package/packages/core/dist/showcase/startRun.js +2 -0
- package/packages/core/dist/showcase/startRun.js.map +1 -0
- package/packages/core/dist/showcase/types.d.ts +66 -0
- package/packages/core/dist/showcase/types.d.ts.map +1 -0
- package/packages/core/dist/showcase/types.js +2 -0
- package/packages/core/dist/showcase/types.js.map +1 -0
- package/packages/core/dist/skills/canonicalSkills.d.ts +3 -0
- package/packages/core/dist/skills/canonicalSkills.d.ts.map +1 -0
- package/packages/core/dist/skills/canonicalSkills.js +7 -0
- package/packages/core/dist/skills/canonicalSkills.js.map +1 -0
- package/packages/core/dist/skills/index.d.ts +4 -0
- package/packages/core/dist/skills/index.d.ts.map +1 -0
- package/packages/core/dist/skills/index.js +4 -0
- package/packages/core/dist/skills/index.js.map +1 -0
- package/packages/core/dist/skills/types.d.ts +26 -0
- package/packages/core/dist/skills/types.d.ts.map +1 -0
- package/packages/core/dist/skills/types.js +2 -0
- package/packages/core/dist/skills/types.js.map +1 -0
- package/packages/core/dist/skills/validateSkillAssets.d.ts +6 -0
- package/packages/core/dist/skills/validateSkillAssets.d.ts.map +1 -0
- package/packages/core/dist/skills/validateSkillAssets.js +218 -0
- package/packages/core/dist/skills/validateSkillAssets.js.map +1 -0
- package/packages/core/dist/useCases/integrity.d.ts +11 -0
- package/packages/core/dist/useCases/integrity.d.ts.map +1 -0
- package/packages/core/dist/useCases/integrity.js +178 -0
- package/packages/core/dist/useCases/integrity.js.map +1 -0
- package/packages/core/dist/useCases/loadUseCaseMatrix.d.ts +7 -0
- package/packages/core/dist/useCases/loadUseCaseMatrix.d.ts.map +1 -0
- package/packages/core/dist/useCases/loadUseCaseMatrix.js +74 -0
- package/packages/core/dist/useCases/loadUseCaseMatrix.js.map +1 -0
- package/packages/core/dist/useCases/mutateUseCaseMatrix.d.ts +25 -0
- package/packages/core/dist/useCases/mutateUseCaseMatrix.d.ts.map +1 -0
- package/packages/core/dist/useCases/mutateUseCaseMatrix.js +198 -0
- package/packages/core/dist/useCases/mutateUseCaseMatrix.js.map +1 -0
- package/packages/core/dist/useCases/query.d.ts +12 -0
- package/packages/core/dist/useCases/query.d.ts.map +1 -0
- package/packages/core/dist/useCases/query.js +47 -0
- package/packages/core/dist/useCases/query.js.map +1 -0
- package/packages/core/dist/useCases/types.d.ts +149 -0
- package/packages/core/dist/useCases/types.d.ts.map +1 -0
- package/packages/core/dist/useCases/types.js +2 -0
- package/packages/core/dist/useCases/types.js.map +1 -0
- package/packages/core/dist/useCases/validateUseCaseFile.d.ts +9 -0
- package/packages/core/dist/useCases/validateUseCaseFile.d.ts.map +1 -0
- package/packages/core/dist/useCases/validateUseCaseFile.js +107 -0
- package/packages/core/dist/useCases/validateUseCaseFile.js.map +1 -0
- package/packages/core/dist/version.d.ts +9 -0
- package/packages/core/dist/version.d.ts.map +1 -0
- package/packages/core/dist/version.js +17 -0
- package/packages/core/dist/version.js.map +1 -0
- package/packages/core/package.json +39 -0
- package/packages/mcp/README.md +48 -0
- package/packages/mcp/dist/index.d.ts +20 -0
- package/packages/mcp/dist/index.d.ts.map +1 -0
- package/packages/mcp/dist/index.js +180 -0
- package/packages/mcp/dist/index.js.map +1 -0
- package/packages/mcp/dist/prompts.d.ts +32 -0
- package/packages/mcp/dist/prompts.d.ts.map +1 -0
- package/packages/mcp/dist/prompts.js +199 -0
- package/packages/mcp/dist/prompts.js.map +1 -0
- package/packages/mcp/dist/resources.d.ts +22 -0
- package/packages/mcp/dist/resources.d.ts.map +1 -0
- package/packages/mcp/dist/resources.js +342 -0
- package/packages/mcp/dist/resources.js.map +1 -0
- package/packages/mcp/dist/toolHandlers.d.ts +28 -0
- package/packages/mcp/dist/toolHandlers.d.ts.map +1 -0
- package/packages/mcp/dist/toolHandlers.js +592 -0
- package/packages/mcp/dist/toolHandlers.js.map +1 -0
- package/packages/mcp/dist/toolSchemas.d.ts +23 -0
- package/packages/mcp/dist/toolSchemas.d.ts.map +1 -0
- package/packages/mcp/dist/toolSchemas.js +223 -0
- package/packages/mcp/dist/toolSchemas.js.map +1 -0
- package/packages/mcp/dist/tools.d.ts +22 -0
- package/packages/mcp/dist/tools.d.ts.map +1 -0
- package/packages/mcp/dist/tools.js +65 -0
- package/packages/mcp/dist/tools.js.map +1 -0
- package/packages/mcp/package.json +38 -0
- package/plugin.json +6 -0
- package/schemas/v1/authority.schema.json +70 -0
- package/schemas/v1/cli-result.schema.json +30 -0
- package/schemas/v1/common.schema.json +274 -0
- package/schemas/v1/demo-capsule.schema.json +78 -0
- package/schemas/v1/evidence-append-result.schema.json +14 -0
- package/schemas/v1/evidence-event.schema.json +181 -0
- package/schemas/v1/evidence-status-result.schema.json +68 -0
- package/schemas/v1/host-profile.schema.json +94 -0
- package/schemas/v1/host-status-result.schema.json +49 -0
- package/schemas/v1/keyring.schema.json +77 -0
- package/schemas/v1/ledger.schema.json +99 -0
- package/schemas/v1/marker.schema.json +84 -0
- package/schemas/v1/matrix-list-result.schema.json +67 -0
- package/schemas/v1/matrix-mutation-result.schema.json +49 -0
- package/schemas/v1/matrix-validation-result.schema.json +77 -0
- package/schemas/v1/mcp-tool-results.schema.json +34 -0
- package/schemas/v1/migration-test-matrix-result.schema.json +76 -0
- package/schemas/v1/presentation-plan-result.schema.json +62 -0
- package/schemas/v1/presentation-plan.schema.json +259 -0
- package/schemas/v1/release-gate-result.schema.json +136 -0
- package/schemas/v1/showcase-approval-result.schema.json +5 -0
- package/schemas/v1/showcase-event-append-result.schema.json +17 -0
- package/schemas/v1/showcase-event.schema.json +235 -0
- package/schemas/v1/showcase-finish-result.schema.json +5 -0
- package/schemas/v1/showcase-run-status-result.schema.json +70 -0
- package/schemas/v1/showcase-start-result.schema.json +5 -0
- package/schemas/v1/use-case-file.schema.json +178 -0
- package/schemas/v1/workflow-mode.schema.json +16 -0
- package/schemas/v1/workspace-config.schema.json +58 -0
- package/use-cases/capsule/demos.yml +212 -0
- package/use-cases/capsule/runner.yml +49 -0
- package/use-cases/diagnostics/contracts.yml +239 -0
- package/use-cases/evidence/core.yml +32 -0
- package/use-cases/evidence/ledger.yml +330 -0
- package/use-cases/hosts/profiles.yml +365 -0
- package/use-cases/hosts/projections.yml +96 -0
- package/use-cases/lifecycle/loop.yml +229 -0
- package/use-cases/matrix/core.yml +92 -0
- package/use-cases/matrix/product.yml +289 -0
- package/use-cases/mcp/surface.yml +257 -0
- package/use-cases/mcp/wrapper.yml +100 -0
- package/use-cases/migration/importer.yml +171 -0
- package/use-cases/migration/test-matrix.yml +32 -0
- package/use-cases/planning/cards.yml +215 -0
- package/use-cases/release/package.yml +80 -0
- package/use-cases/release/proof.yml +180 -0
- package/use-cases/roadmap/deferred.yml +184 -0
- package/use-cases/showcase/flow.yml +269 -0
- package/use-cases/showcase/live.yml +44 -0
- package/use-cases/skills/assets.yml +92 -0
- package/use-cases.yml +9 -0
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
<!-- GENERATED FILE — do not edit by hand.
|
|
2
|
+
Regenerate with `node packages/core/scripts/generate-error-codes.mjs`
|
|
3
|
+
(source of truth: packages/core/src/errors/registry.ts). -->
|
|
4
|
+
|
|
5
|
+
# Error Codes
|
|
6
|
+
|
|
7
|
+
Stable `UCM_*` error codes are part of the [public API](./stability.md). Each
|
|
8
|
+
code below is a versioned contract: a code is only removed or repurposed in a
|
|
9
|
+
**major** release; new codes ship additively in a **minor**. Diagnostics carry
|
|
10
|
+
the code in their `code` field.
|
|
11
|
+
|
|
12
|
+
There are **66** codes across **9** surfaces.
|
|
13
|
+
|
|
14
|
+
## Marker grammar
|
|
15
|
+
|
|
16
|
+
| Code | Severity | Message |
|
|
17
|
+
|---|---|---|
|
|
18
|
+
| `UCM_MARKER_DUPLICATE_BINDING_SLUG` | error | Duplicate binding slug within the same source. |
|
|
19
|
+
| `UCM_MARKER_END_MALFORMED` | error | Marker end line is malformed. |
|
|
20
|
+
| `UCM_MARKER_END_MISMATCHED` | error | Marker end line does not match its open marker. |
|
|
21
|
+
| `UCM_MARKER_END_WITHOUT_START` | error | Marker end line has no matching start. |
|
|
22
|
+
| `UCM_MARKER_FORBIDDEN_PAYLOAD` | error | Marker line carries a forbidden payload. |
|
|
23
|
+
| `UCM_MARKER_MALFORMED` | error | Marker line is malformed. |
|
|
24
|
+
| `UCM_MARKER_NESTED_SPAN` | error | Marker spans may not be nested. |
|
|
25
|
+
| `UCM_MARKER_UNSUPPORTED_INFERENCE` | error | Marker span uses an unsupported inference. |
|
|
26
|
+
|
|
27
|
+
## Binding registry
|
|
28
|
+
|
|
29
|
+
| Code | Severity | Message |
|
|
30
|
+
|---|---|---|
|
|
31
|
+
| `UCM_REGISTRY_DUPLICATE_REGISTRATION` | error | Duplicate registration in the binding registry. |
|
|
32
|
+
| `UCM_REGISTRY_JSON_PARSE` | error | Binding registry is not valid JSON. |
|
|
33
|
+
| `UCM_REGISTRY_ROW_MISSING` | error | Referenced registry row is missing. |
|
|
34
|
+
| `UCM_REGISTRY_SCHEMA_INVALID` | error | Binding registry does not match its schema. |
|
|
35
|
+
| `UCM_REGISTRY_SLUG_PREFIX_MISMATCH` | error | Binding slug prefix does not match the registry. |
|
|
36
|
+
| `UCM_REGISTRY_SLUG_ROW_CONFLICT` | error | Binding slug conflicts with an existing registry row. |
|
|
37
|
+
|
|
38
|
+
## Evidence ledger
|
|
39
|
+
|
|
40
|
+
| Code | Severity | Message |
|
|
41
|
+
|---|---|---|
|
|
42
|
+
| `UCM_EVIDENCE_APPEND_ONLY_VIOLATION` | error | Evidence ledger is append-only; rewrite rejected. |
|
|
43
|
+
| `UCM_EVIDENCE_BINDING_SET_HASH_MISMATCH` | error | Evidence binding-set hash does not match. |
|
|
44
|
+
| `UCM_EVIDENCE_EXPECTED_HEAD_MISMATCH` | error | Expected head event does not match current head. |
|
|
45
|
+
| `UCM_EVIDENCE_IDEMPOTENCY_CONFLICT` | error | Idempotency key was reused with different intent. |
|
|
46
|
+
| `UCM_EVIDENCE_INVALID_TRANSITION` | error | Evidence aggregate is not in a state that allows this transition. |
|
|
47
|
+
| `UCM_EVIDENCE_JSON_PARSE` | error | Evidence ledger line is not valid JSON. |
|
|
48
|
+
| `UCM_EVIDENCE_LEDGER_DAMAGED` | error | Refusing to append to damaged evidence history. |
|
|
49
|
+
| `UCM_EVIDENCE_LOCK_TIMEOUT` | error | Timed out acquiring evidence append lock. |
|
|
50
|
+
| `UCM_EVIDENCE_PRODUCER_NOT_TRUSTED` | error | Evidence producer is not trusted. |
|
|
51
|
+
| `UCM_EVIDENCE_ROW_MISSING` | error | Referenced evidence row is missing. |
|
|
52
|
+
| `UCM_EVIDENCE_SCHEMA_INVALID` | error | Evidence event does not match its schema. |
|
|
53
|
+
| `UCM_EVIDENCE_VERIFICATION_NOT_PASS` | error | Evidence verification did not pass. |
|
|
54
|
+
| `UCM_LEDGER_CHAIN_BROKEN` | error | Evidence ledger hash chain is broken: an entry's previous_entry_hash does not match the preceding entry. |
|
|
55
|
+
| `UCM_LEDGER_DUPLICATE_INDEX` | error | Evidence ledger contains a duplicate entry_index. |
|
|
56
|
+
| `UCM_LEDGER_INDEX_GAP` | error | Evidence ledger entry_index does not match its actual position (gap, reorder, or truncation). |
|
|
57
|
+
|
|
58
|
+
## Signature / proof verification
|
|
59
|
+
|
|
60
|
+
| Code | Severity | Message |
|
|
61
|
+
|---|---|---|
|
|
62
|
+
| `UCM_SIGNATURE_ALG_UNSUPPORTED` | error | Proof signature algorithm is unsupported. |
|
|
63
|
+
| `UCM_SIGNATURE_BAD` | error | Proof signature is invalid. |
|
|
64
|
+
| `UCM_SIGNATURE_MISSING` | error | Proof event is missing a signature. |
|
|
65
|
+
| `UCM_SIGNATURE_UNKNOWN_KEY_ID` | error | Proof signature references an unknown key id. |
|
|
66
|
+
|
|
67
|
+
## Swift function recognizer
|
|
68
|
+
|
|
69
|
+
| Code | Severity | Message |
|
|
70
|
+
|---|---|---|
|
|
71
|
+
| `UCM_SWIFT_CONDITIONAL_COMPILATION` | error | Conditional compilation directive inside a marked span. |
|
|
72
|
+
| `UCM_SWIFT_FUNC_NO_BODY` | error | Marked function has no body. |
|
|
73
|
+
| `UCM_SWIFT_FUNC_NO_CLOSING_BRACE` | error | Marked function body has no closing brace. |
|
|
74
|
+
| `UCM_SWIFT_MARKER_INSIDE_ATTACHED` | error | Marker is inside an attached declaration. |
|
|
75
|
+
| `UCM_SWIFT_MARKER_INSIDE_SPAN` | error | Another marker appears inside a marked span. |
|
|
76
|
+
| `UCM_SWIFT_MARKER_NOT_ADJACENT` | error | Marker is not adjacent to a declaration. |
|
|
77
|
+
| `UCM_SWIFT_MULTIPLE_CANDIDATES` | error | Multiple candidate declarations for the marker. |
|
|
78
|
+
| `UCM_SWIFT_NESTED_FUNC_UNSUPPORTED` | error | Nested functions are unsupported in a marked span. |
|
|
79
|
+
| `UCM_SWIFT_NEXT_NODE_NOT_FUNC` | error | The node following the marker is not a function. |
|
|
80
|
+
| `UCM_SWIFT_NO_PARSER` | error | No Swift parser is available. |
|
|
81
|
+
| `UCM_SWIFT_PARSE_ERROR` | error | Swift parse error within the marker region. |
|
|
82
|
+
|
|
83
|
+
## Workspace config
|
|
84
|
+
|
|
85
|
+
| Code | Severity | Message |
|
|
86
|
+
|---|---|---|
|
|
87
|
+
| `UCM_WORKSPACE_COMPONENT_UNKNOWN` | error | Unknown component '...'; does not match the declared component. |
|
|
88
|
+
| `UCM_WORKSPACE_CONFIG_INVALID` | error | Invalid use-cases.yml. |
|
|
89
|
+
| `UCM_WORKSPACE_CONFIG_PARSE` | error | Unable to parse use-cases.yml. |
|
|
90
|
+
|
|
91
|
+
## Migration
|
|
92
|
+
|
|
93
|
+
| Code | Severity | Message |
|
|
94
|
+
|---|---|---|
|
|
95
|
+
| `UCM_MIGRATION_UNSAFE_OUTPUT_PATH` | error | Migration output path must stay inside the data root. |
|
|
96
|
+
| `UCM_MIGRATION_UNSAFE_SOURCE_PATH` | error | Migration source path must stay inside the repository. |
|
|
97
|
+
|
|
98
|
+
## Showcase lifecycle
|
|
99
|
+
|
|
100
|
+
| Code | Severity | Message |
|
|
101
|
+
|---|---|---|
|
|
102
|
+
| `UCM_SHOWCASE_FAILURE_DECISION_REQUIRED` | error | Cannot finish until each failed or blocked verdict has a failure decision. |
|
|
103
|
+
| `UCM_SHOWCASE_FINISH_REQUIRED` | error | User approval/rejection requires a finished showcase run. |
|
|
104
|
+
| `UCM_SHOWCASE_IDEMPOTENCY_CONFLICT` | error | Idempotency key was reused with different intent. |
|
|
105
|
+
| `UCM_SHOWCASE_INVALID_CORRECTION_TARGET` | error | Correction target must be a verdict event. |
|
|
106
|
+
| `UCM_SHOWCASE_INVALID_FAILURE_DECISION_TARGET` | error | Failure decision target must be a failed or blocked verdict event. |
|
|
107
|
+
| `UCM_SHOWCASE_KNOWN_GAP_ACK_REQUIRED` | error | Partial plan requires known-gap acknowledgement. |
|
|
108
|
+
| `UCM_SHOWCASE_LEDGER_DAMAGED` | error | Refusing to append to damaged showcase history. |
|
|
109
|
+
| `UCM_SHOWCASE_PLAN_HASH_MISMATCH` | error | Plan content hash does not match plan body. |
|
|
110
|
+
| `UCM_SHOWCASE_PLAN_INVALID` | error | Presentation plan file is not a v1 plan. |
|
|
111
|
+
| `UCM_SHOWCASE_PLAN_PLACEHOLDER_HASH` | error | Plan content hash must not be a placeholder. |
|
|
112
|
+
| `UCM_SHOWCASE_PLAN_UNREADABLE` | error | Presentation plan file could not be read. |
|
|
113
|
+
| `UCM_SHOWCASE_RUN_ID_CONFLICT` | error | Showcase run id already exists. |
|
|
114
|
+
| `UCM_SHOWCASE_TRUSTED_CONFIRMATION_REQUIRED` | error | User approval requires a trusted interactive user confirmation path. |
|
|
115
|
+
| `UCM_SHOWCASE_USER_APPROVAL_REQUIRED` | error | Agent cannot record user-required approval. |
|
|
116
|
+
| `UCM_SHOWCASE_VERDICT_REQUIRES_OBSERVATION` | error | Verdict requires a prior observation. |
|
|
117
|
+
|
|
118
|
+
## Path safety
|
|
119
|
+
|
|
120
|
+
| Code | Severity | Message |
|
|
121
|
+
|---|---|---|
|
|
122
|
+
| `UCM_INVALID_ID` | error | Identifier is not a canonical id; refusing to use it as a path segment. |
|
|
123
|
+
| `UCM_PATH_ESCAPE` | error | Unsafe relative path escapes its root boundary. |
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
# Stability & Versioning Policy
|
|
2
|
+
|
|
3
|
+
use-cases follows [Semantic Versioning](https://semver.org). At
|
|
4
|
+
`1.0.0` the surfaces listed under **Public API** below are a contract: they only
|
|
5
|
+
change in breaking ways across a **major** version bump. This page is the
|
|
6
|
+
authoritative declaration of what is stable, what is experimental, and how
|
|
7
|
+
versions move.
|
|
8
|
+
|
|
9
|
+
> **Pre-1.0 (beta).** The current release line is `0.0.x` — beta software. The
|
|
10
|
+
> contracts below describe the *intended* shape that becomes binding **at
|
|
11
|
+
> `1.0.0`**; until then they may still change between `0.0.x` releases. Adopt
|
|
12
|
+
> with that in mind.
|
|
13
|
+
|
|
14
|
+
> Ships as a single package, `use-cases` (binaries `uc` and `uc-mcp`);
|
|
15
|
+
> the `core` / `cli` / `mcp` workspaces are bundled inside it, not published
|
|
16
|
+
> separately. See the [publishing runbook](../release/publishing.md) for how a
|
|
17
|
+
> release is cut (npm Trusted Publishing + provenance) and the owner one-time npm
|
|
18
|
+
> setup.
|
|
19
|
+
|
|
20
|
+
## SemVer policy
|
|
21
|
+
|
|
22
|
+
| Bump | What may change |
|
|
23
|
+
|---|---|
|
|
24
|
+
| **patch** (`1.0.x`) | Bug fixes. No schema, CLI, MCP, or output-shape changes. Human-readable text may change. |
|
|
25
|
+
| **minor** (`1.x.0`) | Additive only: new commands, new MCP tools/resources/prompts, new **optional** schema fields, new error codes, new exit-code *meanings* for previously-unused codes. Existing contracts keep working. |
|
|
26
|
+
| **major** (`x.0.0`) | Anything removed, renamed, or changed in meaning: a command/flag/tool/field/error-code removed or repurposed, an output shape changed, a schema field made required, exit-code semantics changed. |
|
|
27
|
+
|
|
28
|
+
A change is "breaking" if a correct integration written against `1.0.0` could
|
|
29
|
+
observe different behaviour. When in doubt, treat it as major.
|
|
30
|
+
|
|
31
|
+
## Public API (stable at 1.0.0)
|
|
32
|
+
|
|
33
|
+
These are versioned contracts:
|
|
34
|
+
|
|
35
|
+
- **CLI command + subcommand names and their flags** — e.g. `uc matrix validate`, `uc verify`, `uc prove`, `uc bind`, `uc scan`. Renames/removals are breaking.
|
|
36
|
+
- **CLI `--json` output** — the envelope and every command's `data` shape (see below). Human/text output is **not** part of the contract.
|
|
37
|
+
- **CLI exit codes** and their meanings (see below).
|
|
38
|
+
- **The result envelope** shared by CLI `--json` and MCP structured results.
|
|
39
|
+
- **MCP tool names** and their input/output schemas, plus the MCP **safety policy** defaults (mutations gated, no signing/`prove`, no generic shell, workspace-root locking).
|
|
40
|
+
- **Persisted file formats**, each carrying `schema_version`: the matrix / use-case files, the binding registry (`bindings.jsonl`), the proof/evidence ledger (`proofs.jsonl`), evidence events, showcase specs/runs, capsules, plans, host profiles, and workspace config.
|
|
41
|
+
- **JSON Schemas** published under the `https://use-cases.dev/schemas/v1/...` `$id` namespace (resolved locally; not fetched).
|
|
42
|
+
- **The use-case marker grammar** (`//: @use-case: <slug>` … `//: @use-case: end <slug>`) and slug rules.
|
|
43
|
+
- **The proof/trust model**: ed25519 signed proof events, the hashed inputs (row, binding-set, span, verification-context), and the freshness states (`FRESH`, `SUSPECT`, `UNPROVEN`, `UNBOUND`, `INVALID`). Signing-key management — the single `--public-key` path, the opt-in `--keyring` registry, and key rotation/revocation — is documented in [key management](../security/key-management.md).
|
|
44
|
+
- **Error codes** declared in the [error-code registry](./error-codes.md) (`UCM_*`).
|
|
45
|
+
|
|
46
|
+
### Result envelope
|
|
47
|
+
|
|
48
|
+
Every CLI `--json` response and MCP structured result uses this envelope:
|
|
49
|
+
|
|
50
|
+
```json
|
|
51
|
+
{
|
|
52
|
+
"schema_version": 1,
|
|
53
|
+
"protocol_version": 1,
|
|
54
|
+
"command": "matrix.validate",
|
|
55
|
+
"ok": true,
|
|
56
|
+
"complete": true,
|
|
57
|
+
"data": { },
|
|
58
|
+
"diagnostics": [],
|
|
59
|
+
"context": { }
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
- `schema_version` / `protocol_version` — bumped only on breaking envelope changes.
|
|
64
|
+
- `command` — stable dotted command id.
|
|
65
|
+
- `ok` — success boolean. `complete` — whether the operation ran to completion.
|
|
66
|
+
- `data` — the command-specific payload (validated against that command's schema).
|
|
67
|
+
- `diagnostics` — array of structured items, each with a stable `code` (see [error codes](./error-codes.md)).
|
|
68
|
+
- `context` — workspace/component metadata.
|
|
69
|
+
|
|
70
|
+
### Exit codes
|
|
71
|
+
|
|
72
|
+
| Code | Meaning |
|
|
73
|
+
|---:|---|
|
|
74
|
+
| `0` | Success. |
|
|
75
|
+
| `1` | Command failed / validation issues / required rows not FRESH. |
|
|
76
|
+
| `2` | Unknown command or invalid arguments. |
|
|
77
|
+
| `3` | Integrity blocked (matrix/evidence/ledger integrity failure). |
|
|
78
|
+
| `4` | Unsafe path escape (data-root / repo boundary violation). |
|
|
79
|
+
|
|
80
|
+
Additional trust-engine exit codes used by `prove` (e.g. untrusted append,
|
|
81
|
+
signing-key missing) are documented in the CLI reference and are stable.
|
|
82
|
+
|
|
83
|
+
## Experimental / not yet covered by the v1 contract
|
|
84
|
+
|
|
85
|
+
These ship and work, but their **shape** may change in a minor release until
|
|
86
|
+
promoted. They are called out here so adopters can depend on them with eyes open:
|
|
87
|
+
|
|
88
|
+
- MCP **resources** (`uc://…`) and **prompts** are exposed and read-only, but
|
|
89
|
+
the exact URI/prompt set may grow in minor releases; treat the MCP *tool*
|
|
90
|
+
surface as the most stable MCP contract.
|
|
91
|
+
- MCP output **rate-limiting** and **size caps**.
|
|
92
|
+
- **Host profiles are a fixed built-in set for v1** (`claude`, `codex`,
|
|
93
|
+
`copilot`, `opencode`). The host-applicability/projection engine is generic,
|
|
94
|
+
but registering *custom* host profiles is a post-v1 extension; the trust core
|
|
95
|
+
(bind/verify/prove/freshness) is host-independent and unaffected.
|
|
96
|
+
- The **trust-engine commands** (`bind`, `scan`, `verify`, `prove`,
|
|
97
|
+
`validate-ledger`) always emit JSON — they are machine/CI-oriented and have no
|
|
98
|
+
separate human-formatted mode (other commands gate JSON behind `--json`).
|
|
99
|
+
- Non-GitHub-Actions CI authority adapters (the proof model is CI-neutral; only
|
|
100
|
+
the GitHub Actions reference workflow is a supported path at 1.0.0). The
|
|
101
|
+
CI-neutral authority contract, per-provider authority population, and the
|
|
102
|
+
opt-in release-gate authority requirement are documented in
|
|
103
|
+
[CI hardening](../security/ci-hardening.md).
|
|
104
|
+
- Any other CLI command's **human-readable** (non-`--json`) formatting.
|
|
105
|
+
- The `core` / `cli` / `mcp` workspaces are an internal implementation detail: they are bundled into the `use-cases` package, **not** a published programmatic import surface. The stable contract is the CLI, the MCP tools, the JSON envelope, the schemas, and the persisted file formats — not TypeScript imports.
|
|
106
|
+
|
|
107
|
+
## Supported environments
|
|
108
|
+
|
|
109
|
+
- **Node**: active LTS lines.
|
|
110
|
+
- **CI**: GitHub Actions is the reference, first-class path. The verify/prove
|
|
111
|
+
contract is CI-neutral and documented for other providers (best-effort) in
|
|
112
|
+
[CI hardening](../security/ci-hardening.md), which also covers the opt-in
|
|
113
|
+
release-gate authority requirement (`release_gate.required_authority` /
|
|
114
|
+
`require_protected_ref`).
|
|
115
|
+
- **Verifiers**: command verifiers for any language/toolchain. `pnpm`/`vitest`
|
|
116
|
+
is one preset, not an assumption.
|
|
117
|
+
- **MCP transport**: local stdio. Remote/HTTP transport is **not** a v1 contract.
|
|
118
|
+
|
|
119
|
+
## Changing a contract
|
|
120
|
+
|
|
121
|
+
A breaking change to anything above requires: a major version bump, a CHANGELOG
|
|
122
|
+
entry, and a migration note under `docs/migration/`. Additive changes ship in a
|
|
123
|
+
minor with a CHANGELOG entry.
|
package/docs/release.md
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# Release Checklist
|
|
2
|
+
|
|
3
|
+
Run the production release gate from the repository root:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
node scripts/release-gate.mjs
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
The gate is intentionally sequential. Do not run `build` concurrently with
|
|
10
|
+
`test`; tests import built workspace package outputs.
|
|
11
|
+
|
|
12
|
+
Before release, inspect:
|
|
13
|
+
|
|
14
|
+
- CI runs `node scripts/release-gate.mjs` on Node 22.
|
|
15
|
+
- `doctor package` is complete and has no diagnostics. By default it builds and
|
|
16
|
+
inspects the real root package tarball, not just the checkout.
|
|
17
|
+
- For external artifacts, use `doctor package --tarball <path> --json`.
|
|
18
|
+
- For installed artifacts, use `doctor package --installed-root <path> --json`;
|
|
19
|
+
this also runs installed CLI and MCP smoke checks.
|
|
20
|
+
- Root package contents include `.agents/skills`, `.codex-plugin/plugin.json`,
|
|
21
|
+
`.mcp.json`, built CLI/MCP/Core `dist`, schemas, docs, examples, and use cases.
|
|
22
|
+
- Root package contents omit tests, TypeScript source, local session state,
|
|
23
|
+
build locks, `node_modules`, and coverage output.
|
|
24
|
+
- Host docs do not claim verified support unless evidence IDs exist.
|
|
25
|
+
- A real showcase run on this plugin is recorded if the release changes user
|
|
26
|
+
workflow.
|
|
@@ -0,0 +1,144 @@
|
|
|
1
|
+
# CI hardening: the CI-neutral authority contract & release-gate requirement
|
|
2
|
+
|
|
3
|
+
Use Cases proofs record **where and how they were produced** in a
|
|
4
|
+
provider-agnostic `authority` block, and a repo can **require a minimum
|
|
5
|
+
authority** before a `required_for_release` row is allowed to ship. This page
|
|
6
|
+
covers the CI-neutral authority contract, the GitHub Actions reference path, how
|
|
7
|
+
other CI providers populate authority, and the release-gate authority
|
|
8
|
+
requirement.
|
|
9
|
+
|
|
10
|
+
> Authority is about **provenance**, not freshness. A row is `FRESH` when scan
|
|
11
|
+
> can verify a signed proof matching the current row / binding-set / verification
|
|
12
|
+
> context (see [key management](./key-management.md)). The `authority` block is
|
|
13
|
+
> **additive** and never changes that: legacy proofs minted before authority
|
|
14
|
+
> existed still validate and stay `FRESH`. Authority only matters when a repo
|
|
15
|
+
> **opts into** the release-gate requirement below.
|
|
16
|
+
|
|
17
|
+
## The CI-neutral authority contract
|
|
18
|
+
|
|
19
|
+
The trust model is **CI-neutral**: GitHub Actions is only the *reference*
|
|
20
|
+
provider. Every proof event may carry an OPTIONAL `authority` block
|
|
21
|
+
([`schemas/v1/authority.schema.json`](../../schemas/v1/authority.schema.json),
|
|
22
|
+
`$id: …/schemas/v1/authority.schema.json`) describing who/where minted it:
|
|
23
|
+
|
|
24
|
+
| Field | Meaning |
|
|
25
|
+
|---|---|
|
|
26
|
+
| `type` | `"ci"` when produced inside a recognised CI provider; `"local"` otherwise. |
|
|
27
|
+
| `provider` | `github-actions` \| `gitlab-ci` \| `circleci` \| `generic`. `generic` is the local / unrecognised fallback. |
|
|
28
|
+
| `repository` | Provider-shaped repo identifier (e.g. `owner/repo`). Best-effort. |
|
|
29
|
+
| `ref` | The git ref / branch the run executed against. Best-effort. |
|
|
30
|
+
| `commit` | The commit SHA the run executed against. Best-effort. |
|
|
31
|
+
| `run_id` | The provider's run / pipeline / build id. Best-effort. |
|
|
32
|
+
| `actor` | The login that triggered the run, when exposed. Best-effort. |
|
|
33
|
+
| `event` | The triggering event name (`push`, `pull_request`, `merge_request`, …). |
|
|
34
|
+
| `protected_ref` | **Tri-state**: `true`/`false` when the provider attests the protected-branch state, `null` when **unknown**. |
|
|
35
|
+
|
|
36
|
+
The block is built **into the event before signing**, so the signature covers it
|
|
37
|
+
— authority cannot be forged or altered after minting without breaking the
|
|
38
|
+
proof's signature. The existing GitHub-shaped `producer` block is unchanged;
|
|
39
|
+
`authority` is the CI-neutral trust record beside it.
|
|
40
|
+
|
|
41
|
+
> **Honest about `protected_ref`.** It is **provider-attested where available and
|
|
42
|
+
> otherwise unknown** (`null`). GitHub Actions does not expose a branch-protection
|
|
43
|
+
> signal in the runner environment, so the reference path reports `null` unless
|
|
44
|
+
> you supply the value out of band (see overrides below). GitLab CI exposes
|
|
45
|
+
> `CI_COMMIT_REF_PROTECTED` and is read directly. A `null` (unknown) value never
|
|
46
|
+
> satisfies a `require_protected_ref` gate — the gate fails closed.
|
|
47
|
+
|
|
48
|
+
## How authority is populated
|
|
49
|
+
|
|
50
|
+
`prove` fills the `authority` block automatically by auto-detecting the CI
|
|
51
|
+
environment (pure `detectCiAuthority(env)` in `markers/ciAuthority.ts`), or you
|
|
52
|
+
can supply it explicitly.
|
|
53
|
+
|
|
54
|
+
### GitHub Actions (the reference path)
|
|
55
|
+
|
|
56
|
+
Detected via `GITHUB_ACTIONS`. Fields are read from the standard runner env:
|
|
57
|
+
|
|
58
|
+
| Authority field | Env var |
|
|
59
|
+
|---|---|
|
|
60
|
+
| `repository` | `GITHUB_REPOSITORY` |
|
|
61
|
+
| `ref` | `GITHUB_REF` |
|
|
62
|
+
| `commit` | `GITHUB_SHA` |
|
|
63
|
+
| `run_id` | `GITHUB_RUN_ID` |
|
|
64
|
+
| `actor` | `GITHUB_ACTOR` |
|
|
65
|
+
| `event` | `GITHUB_EVENT_NAME` |
|
|
66
|
+
| `protected_ref` | unknowable from the runner env → `null` (override to set) |
|
|
67
|
+
|
|
68
|
+
No configuration is needed: running `uc prove …` inside a GitHub Actions job
|
|
69
|
+
yields `type: "ci"`, `provider: "github-actions"`.
|
|
70
|
+
|
|
71
|
+
### Other CI providers (auto-detected)
|
|
72
|
+
|
|
73
|
+
The same auto-detection recognises:
|
|
74
|
+
|
|
75
|
+
- **GitLab CI** (`GITLAB_CI`): `CI_PROJECT_PATH`, `CI_COMMIT_REF_NAME`,
|
|
76
|
+
`CI_COMMIT_SHA`, `CI_PIPELINE_ID`, `GITLAB_USER_LOGIN`, `CI_PIPELINE_SOURCE`,
|
|
77
|
+
and the explicit `CI_COMMIT_REF_PROTECTED` → `protected_ref`.
|
|
78
|
+
- **CircleCI** (`CIRCLECI`): `CIRCLE_PROJECT_USERNAME`/`CIRCLE_PROJECT_REPONAME`
|
|
79
|
+
→ `owner/repo`, `CIRCLE_BRANCH`, `CIRCLE_SHA1`, `CIRCLE_BUILD_NUM`,
|
|
80
|
+
`CIRCLE_USERNAME`. No protected-branch signal → `protected_ref: null`.
|
|
81
|
+
- **Anything else** → `{ type: "local", provider: "generic" }`.
|
|
82
|
+
|
|
83
|
+
### Unknown providers & overrides: `--authority-file`
|
|
84
|
+
|
|
85
|
+
For a CI provider that is not auto-detected, or to attest a value the runner
|
|
86
|
+
cannot expose (e.g. `protected_ref` on GitHub), pass a JSON authority record:
|
|
87
|
+
|
|
88
|
+
```sh
|
|
89
|
+
uc prove --all --trusted-ci \
|
|
90
|
+
--verification-results "$UCM_VERIFICATION_RESULTS" \
|
|
91
|
+
--signing-key-env UCM_CI_SIGNING_KEY --key-id ci-key-1 \
|
|
92
|
+
--authority-file authority.json
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
`--verification-results` is required — it is the unsigned results ledger written
|
|
96
|
+
earlier by `uc verify --out "$UCM_VERIFICATION_RESULTS"`.
|
|
97
|
+
|
|
98
|
+
```json
|
|
99
|
+
{
|
|
100
|
+
"type": "ci",
|
|
101
|
+
"provider": "generic",
|
|
102
|
+
"repository": "owner/repo",
|
|
103
|
+
"ref": "refs/heads/main",
|
|
104
|
+
"commit": "0123…",
|
|
105
|
+
"run_id": "4242",
|
|
106
|
+
"protected_ref": true
|
|
107
|
+
}
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
The file is validated against `authority.schema.json`, embedded, and signed.
|
|
111
|
+
|
|
112
|
+
## The release-gate authority requirement
|
|
113
|
+
|
|
114
|
+
By default the release gate does **not** look at authority — a `FRESH` required
|
|
115
|
+
row passes regardless of how it was proved. A repo can **opt in** to a minimum
|
|
116
|
+
authority via the OPTIONAL `release_gate` section of `use-cases.yml`:
|
|
117
|
+
|
|
118
|
+
```yaml
|
|
119
|
+
# use-cases.yml
|
|
120
|
+
release_gate:
|
|
121
|
+
required_authority: ci # matching proof must have authority.type === "ci"
|
|
122
|
+
require_protected_ref: true # ...and authority.protected_ref === true
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
Semantics, in **release mode only**:
|
|
126
|
+
|
|
127
|
+
- A `required_for_release` row whose only `FRESH` proof was minted with
|
|
128
|
+
**insufficient authority** — `type: "local"` when `required_authority: ci`, or
|
|
129
|
+
`protected_ref` not exactly `true` when `require_protected_ref: true`, or **no
|
|
130
|
+
authority block at all** — is **POLICY-BLOCKED**. It is surfaced in the
|
|
131
|
+
freshness / gate output with an `AUTHORITY_INSUFFICIENT` reason and counted in
|
|
132
|
+
`summary.policy_blocked`.
|
|
133
|
+
- A required row that is already not `FRESH` is blocked exactly as before; the
|
|
134
|
+
authority gate is **purely additive** — it can only ever block an
|
|
135
|
+
*otherwise-`FRESH`* required row, never relax existing blocking.
|
|
136
|
+
- **Feature mode is never affected**, and non-`required_for_release` rows are
|
|
137
|
+
never authority-blocked.
|
|
138
|
+
- **Off by default.** Omit `release_gate`, or leave its fields unset, and gating
|
|
139
|
+
is exactly as it was — nothing changes for repos that do not configure it.
|
|
140
|
+
|
|
141
|
+
This is the hardening lever: require that everything you ship was proved by **CI
|
|
142
|
+
on a protected branch**, not on someone's laptop, while keeping the whole trust
|
|
143
|
+
model CI-neutral (any provider that produces a `type: "ci"` /
|
|
144
|
+
provider-attested-`protected_ref` proof satisfies the gate).
|
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
# Key management: signing keys, the keyring, rotation & revocation
|
|
2
|
+
|
|
3
|
+
Use Cases proofs are **ed25519-signed** trusted-CI events. A row is only
|
|
4
|
+
`FRESH` when scan/validate-ledger can verify the signature on a matching proof
|
|
5
|
+
against a **trusted public key**. This page covers how those keys are managed:
|
|
6
|
+
generating a keypair, the keyring file, rotating keys, revoking them, and the
|
|
7
|
+
fail-closed guarantee that ties it all together.
|
|
8
|
+
|
|
9
|
+
There are two ways to tell the tool which public key(s) to trust:
|
|
10
|
+
|
|
11
|
+
| Flag | Trust model | Use when |
|
|
12
|
+
|---|---|---|
|
|
13
|
+
| `--public-key <file.pem>` | A **single** key, trusted unconditionally — only as safe as the file the verifier is pointed at, so commit it where the agent cannot swap it (see [threat model](../security.md#threat-model--what-holds-on-its-own-and-what-needs-setup)). | One signer, no rotation. The original, simplest path. |
|
|
14
|
+
| `--keyring <file.json>` | A **registry** of keys, each with a status and validity window. | You need rotation and/or revocation. **Opt-in**, additive. |
|
|
15
|
+
|
|
16
|
+
Both flags are accepted by `scan`, `verify`, `prove`, and `validate-ledger`.
|
|
17
|
+
`--keyring` is strictly additive: if you never pass it, nothing changes. When
|
|
18
|
+
both are present, the keyring wins.
|
|
19
|
+
|
|
20
|
+
> The private signing key lives **only in trusted CI** (passed to `prove` via
|
|
21
|
+
> `--signing-key-env <ENV>`, never written to the repo). The repo/config holds
|
|
22
|
+
> only **public** keys.
|
|
23
|
+
|
|
24
|
+
## Generating an ed25519 keypair
|
|
25
|
+
|
|
26
|
+
The signing key is a **PKCS8 ed25519 PEM**; the public key is an **SPKI ed25519
|
|
27
|
+
PEM**. Generate the pair with Node — this works everywhere the CLI runs and needs
|
|
28
|
+
no external tools (macOS's bundled LibreSSL cannot `genpkey -algorithm ed25519`):
|
|
29
|
+
|
|
30
|
+
```sh
|
|
31
|
+
node -e 'const c=require("crypto"),f=require("fs");const{publicKey,privateKey}=c.generateKeyPairSync("ed25519");f.writeFileSync("ci-signing-key.pem",privateKey.export({type:"pkcs8",format:"pem"}));f.writeFileSync("ci-signing-key.pub.pem",publicKey.export({type:"spki",format:"pem"}));'
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
This writes `ci-signing-key.pem` (the **private** key — keep in CI secrets only,
|
|
35
|
+
never commit) and `ci-signing-key.pub.pem` (the **public** key, for `--public-key`
|
|
36
|
+
or the keyring). If you have OpenSSL ≥ 3 (not macOS LibreSSL) you can instead run:
|
|
37
|
+
|
|
38
|
+
```sh
|
|
39
|
+
openssl genpkey -algorithm ed25519 -out ci-signing-key.pem
|
|
40
|
+
openssl pkey -in ci-signing-key.pem -pubout -out ci-signing-key.pub.pem
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
In CI, load the **private** PEM into an environment variable and point `prove`
|
|
44
|
+
at it; tag the proof with the matching key id:
|
|
45
|
+
|
|
46
|
+
```sh
|
|
47
|
+
export UCM_CI_SIGNING_KEY="$(cat ci-signing-key.pem)"
|
|
48
|
+
uc prove --all --trusted-ci \
|
|
49
|
+
--signing-key-env UCM_CI_SIGNING_KEY \
|
|
50
|
+
--key-id ci-key-1
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
The `--key-id` you sign with must match a `key_id` in the keyring (or be
|
|
54
|
+
irrelevant under the single `--public-key` path, which ignores it).
|
|
55
|
+
|
|
56
|
+
## The keyring file
|
|
57
|
+
|
|
58
|
+
A keyring is a JSON file conforming to
|
|
59
|
+
[`schemas/v1/keyring.schema.json`](../../schemas/v1/keyring.schema.json)
|
|
60
|
+
(`$id: https://use-cases.dev/schemas/v1/keyring.schema.json`). It is a
|
|
61
|
+
list of keys; each carries a stable id, the PEM public key, a validity window,
|
|
62
|
+
and a status:
|
|
63
|
+
|
|
64
|
+
```json
|
|
65
|
+
{
|
|
66
|
+
"keyring_schema_id": "ucase-public-key-registry-v1",
|
|
67
|
+
"keys": [
|
|
68
|
+
{
|
|
69
|
+
"key_id": "ci-key-1",
|
|
70
|
+
"algorithm": "ed25519",
|
|
71
|
+
"public_key": "-----BEGIN PUBLIC KEY-----\n…\n-----END PUBLIC KEY-----\n",
|
|
72
|
+
"valid_from": "2026-01-01T00:00:00Z",
|
|
73
|
+
"valid_until": null,
|
|
74
|
+
"status": "active"
|
|
75
|
+
}
|
|
76
|
+
]
|
|
77
|
+
}
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
| Field | Meaning |
|
|
81
|
+
|---|---|
|
|
82
|
+
| `key_id` | Stable id referenced by a proof signature's `key_id`. |
|
|
83
|
+
| `algorithm` | Always `ed25519`. |
|
|
84
|
+
| `public_key` | PEM-encoded ed25519 public key. |
|
|
85
|
+
| `valid_from` | Start of the validity window (inclusive). |
|
|
86
|
+
| `valid_until` | End of the window (inclusive), or `null` for open-ended. |
|
|
87
|
+
| `status` | `active` (may verify proofs) or `revoked` (must not). |
|
|
88
|
+
|
|
89
|
+
A `key_id` resolves to its public key **only when** the key exists, its status
|
|
90
|
+
is `active`, and the **proof's `created_at`** falls inside
|
|
91
|
+
`[valid_from, valid_until]`. The validity window is checked against the moment
|
|
92
|
+
the proof was signed, not "now" — so a proof minted while a key was valid keeps
|
|
93
|
+
verifying after the window closes only if you keep the key active; once the
|
|
94
|
+
window closes or the key is revoked, the proof no longer verifies.
|
|
95
|
+
|
|
96
|
+
Pass it to any verifying command:
|
|
97
|
+
|
|
98
|
+
```sh
|
|
99
|
+
uc scan --keyring keyring.json
|
|
100
|
+
uc validate-ledger --keyring keyring.json
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
## Rotation
|
|
104
|
+
|
|
105
|
+
Rotation introduces a new signing key without invalidating proofs already in the
|
|
106
|
+
ledger. The order matters — **add then re-prove, revoke last**:
|
|
107
|
+
|
|
108
|
+
1. **Generate** a new keypair (`ci-key-2`).
|
|
109
|
+
2. **Add** `ci-key-2` to the keyring as `active`, and **keep `ci-key-1` active**.
|
|
110
|
+
At this point both keys verify, so every existing `ci-key-1` proof stays
|
|
111
|
+
`FRESH`.
|
|
112
|
+
3. **Re-prove** the rows under `ci-key-2` (`prove … --key-id ci-key-2`). Because
|
|
113
|
+
the ledger is append-only, this appends fresh proofs signed by the new key;
|
|
114
|
+
the old proofs remain.
|
|
115
|
+
4. **Revoke** `ci-key-1` (flip its `status` to `revoked`) only after every row
|
|
116
|
+
you care about has a current-key proof.
|
|
117
|
+
|
|
118
|
+
A proof minted under an old key that is **still active** stays `FRESH`. The
|
|
119
|
+
moment you revoke that old key, any row whose only proof was signed by it drops
|
|
120
|
+
out of `FRESH` — which is exactly why you re-prove (step 3) before revoking
|
|
121
|
+
(step 4).
|
|
122
|
+
|
|
123
|
+
> Because the evidence ledger is append-only and **fail-closed**, revoking a key
|
|
124
|
+
> that signed earlier, still-present ledger entries makes those specific entries
|
|
125
|
+
> fail verification (a ledger-integrity error). Re-prove the affected rows under
|
|
126
|
+
> a current key so each row again has a verifiable proof.
|
|
127
|
+
|
|
128
|
+
## Revocation
|
|
129
|
+
|
|
130
|
+
To stop trusting a key immediately (e.g. it leaked), set its `status` to
|
|
131
|
+
`revoked` in the keyring. From that point:
|
|
132
|
+
|
|
133
|
+
- Any proof signed by the revoked key no longer verifies.
|
|
134
|
+
- A row whose only proof was that key falls to `UNPROVEN`/`SUSPECT` — **never
|
|
135
|
+
`FRESH`**.
|
|
136
|
+
- Re-prove the row under a current, `active` key to restore `FRESH`.
|
|
137
|
+
|
|
138
|
+
You do not delete the revoked entry: keeping it (as `revoked`) documents that
|
|
139
|
+
the key was once known and is now untrusted.
|
|
140
|
+
|
|
141
|
+
## The fail-closed guarantee
|
|
142
|
+
|
|
143
|
+
Verification is **fail-closed**. A proof is `FRESH` only when the keyring
|
|
144
|
+
positively vouches for its signing key at signing time. Every other case yields
|
|
145
|
+
**not `FRESH`**:
|
|
146
|
+
|
|
147
|
+
| Situation | Result |
|
|
148
|
+
|---|---|
|
|
149
|
+
| `key_id` not in the keyring | not FRESH (`UNKNOWN_KEY_ID`) |
|
|
150
|
+
| key present but `status: revoked` | not FRESH |
|
|
151
|
+
| proof `created_at` before `valid_from` | not FRESH |
|
|
152
|
+
| proof `created_at` after `valid_until` | not FRESH |
|
|
153
|
+
| signature does not verify | not FRESH (`BAD_SIGNATURE`) |
|
|
154
|
+
| **active key, in window, valid signature** | **FRESH** |
|
|
155
|
+
|
|
156
|
+
There is no "unknown key, allow anyway" path: an unrecognised, revoked, or
|
|
157
|
+
out-of-window key resolves to nothing, so the proof cannot verify and the row
|
|
158
|
+
cannot be `FRESH`.
|
package/docs/security.md
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
# Security And Trust
|
|
2
|
+
|
|
3
|
+
Generated plans, migration output, capsules, and host projections are prepared
|
|
4
|
+
material only. They are not proof.
|
|
5
|
+
|
|
6
|
+
## Threat model — what holds on its own, and what needs setup
|
|
7
|
+
|
|
8
|
+
The freshness guarantee is cryptographic, but it is only ever as strong as the
|
|
9
|
+
trust anchor you give it. This tool's whole point is to keep claims honest, so it
|
|
10
|
+
is precise about what it enforces *by itself* versus what depends on how you
|
|
11
|
+
deploy it. The adversary worth naming is an **autonomous agent with full shell
|
|
12
|
+
access to the workspace** — the same actor the tool exists to keep honest.
|
|
13
|
+
|
|
14
|
+
| Property | Enforced by the tool alone | Also requires |
|
|
15
|
+
|---|---|---|
|
|
16
|
+
| A `FRESH` row carries a valid signature over the current row / binding-set / verifier hashes — any drift flips it to `SUSPECT` | ✅ `scan` fails closed on drift, bad/unknown/revoked/out-of-window signatures | — |
|
|
17
|
+
| That signature came from **trusted CI**, not a local actor | ❌ not on its own | The verifier must check against a **public key (or keyring) committed to the repo that the agent cannot swap**, *and* the private signing key must live **only** in a CI secret. Given a key it supplies or can generate, an actor with shell access can `prove` its own proof and `scan` it `FRESH`. |
|
|
18
|
+
| The proof ledger has not been rewritten | ❌ not on its own — a local rewrite re-chains the hashes consistently | `validate-ledger --base-ref <ref>` against a **protected** branch the agent cannot force-push (branch protection on that ref). |
|
|
19
|
+
| A required row was proven **on a protected branch** | ❌ | The release-gate authority requirement + the `protected_ref` attestation — see [CI hardening](./security/ci-hardening.md). |
|
|
20
|
+
| "Approved by a human" on a showcase run | ❌ in v1 | The showcase approval ledger is **unsigned**; sign-off is **operationally** enforced (process / review), not cryptographically. See *Trusted user approval* below. |
|
|
21
|
+
|
|
22
|
+
In short: **the cryptography proves "this proof was signed by the key you chose to
|
|
23
|
+
trust."** Making that key mean *trusted CI rather than the local agent* is your
|
|
24
|
+
deployment's job — commit the public key, keep the private key CI-only, protect
|
|
25
|
+
the branch, and verify with `--base-ref` / a keyring. With that setup in place a
|
|
26
|
+
local actor cannot manufacture `FRESH`. Without it the proofs are still useful
|
|
27
|
+
integrity signals, but they are not a defence against an actor who controls the
|
|
28
|
+
shell. See [key management](./security/key-management.md) for the keyring, the
|
|
29
|
+
fail-closed table, and rotation/revocation.
|
|
30
|
+
|
|
31
|
+
## Trusted user approval
|
|
32
|
+
|
|
33
|
+
An agent can **request** approval but must not be able to **mint** it. In v1 only
|
|
34
|
+
the negative half of that is real: `showcase approve` records an
|
|
35
|
+
`untrusted_automation` authority, and the showcase run ledger is **not signed** —
|
|
36
|
+
so a user-required run stays `pending` until approved out of band, and approval is
|
|
37
|
+
enforced **operationally** (your review process), not cryptographically. There is
|
|
38
|
+
no v1 code path that produces a cryptographically trusted user sign-off, and
|
|
39
|
+
interactive-CLI confirmation is **not** one (an agent that drives the terminal can
|
|
40
|
+
satisfy it). The signed-token approval path that closes this gap is specified in
|
|
41
|
+
[ADR 0006](./adr/0006-trusted-user-approval-path.md); it is planned, not shipped.
|
|
42
|
+
MCP tools can request approval but cannot fabricate it.
|
|
43
|
+
|
|
44
|
+
Approval proof, once it exists, is bound to the generated plan hash and the finish
|
|
45
|
+
event for the run. Generated plans, capsules, and runbooks are prepared material
|
|
46
|
+
until a run records events against them.
|
|
47
|
+
|
|
48
|
+
## Ledgers and history
|
|
49
|
+
|
|
50
|
+
Append-only ledgers preserve accidental or disputed history through correction
|
|
51
|
+
events. Normal commands do not physically delete evidence or showcase history.
|
|
52
|
+
Physical purge for secrets or legal requirements needs a separate destructive
|
|
53
|
+
workflow with explicit audit output. The append-only and hash-chain properties
|
|
54
|
+
are **verifiable**, not self-enforcing: validate them against a trusted prior
|
|
55
|
+
state (`validate-ledger --base-ref`) so a wholesale local rewrite is caught.
|
|
56
|
+
|
|
57
|
+
## Hosts and packages
|
|
58
|
+
|
|
59
|
+
Host profiles are expectation data. A host executable smoke result or projection
|
|
60
|
+
manifest can help diagnose setup, but verified host support requires recorded
|
|
61
|
+
evidence IDs.
|
|
62
|
+
|
|
63
|
+
Package checks inspect real tarballs or installed package roots. They reject
|
|
64
|
+
local/session state such as local agent cache and receipt directories, build
|
|
65
|
+
locks, packaged `node_modules/`, coverage output, local absolute paths, and
|
|
66
|
+
secret-looking values.
|